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INTRODUCTICW 


Recently NASA, Langley Research Center and the Royal Signals and Radar 
Establishment (RSRE) have initiated a joint research program in formal 
verification of life-critical systems. The first phase of this work involves a 
critical assessment of the RSRE work on the VIPER microprocessor. The VIPER 
was designed by RSRE researchers specifically for life-critical applications 
and was subjected to a formal proof of correctness. The proof methodology is 
based on a hierarchical specification of the system design. This methodology 
was first illustrated on a 6-bit counter by RSRE in the RSRE Memorandum 3832 
entitled "Hardware Proofs using LCF-LSM and ELLA" by W. J. Cullyer and C. H. 
Pygott (ref. 1.) In this paper, the RSRE approach to hardware verification is 
studied in the context of a different specification language — Revised Special 
developed by SRI International (ref. 2). The reason the methodology is 
explored via a different specification language is twofold; (1) to expose any 
weaknesses in the methodology due to the specification language LCF-LSM, and 

(2) to explore the feasibility of using EHDM (Enhanced Hierarchical Design 
Methodology) for hardware verification using the RSRE methodology. 

In this paper RSRE's 6-bit counter example is re-specified in Revised 
Special. In the RSRE report, the proofs between the levels of the hierarchical 
specification were accon^lished by hand. In this report, the proofs are 
performed using the EHDM (Enhanced Hierarchical Design Methodology) theorem 
proving system. The paper makes a conqparison between the LCF-LSM and Revised 
Special languages. The viability of the RSRE methodology is discussed. 
Particular attention is given to the feasibility of using their methodology in 
concert with the EHDM tools. 

SUMMARY OF RSRE HARDWARE VERIFICATION METHODOLOGY 


The RSRE approach to verification is based on the use of hierarchical 
specification. The formal hierarchy consists of the following four levels: 

( 1 ) Functional 

(2) Finite-state automata 

(3) Block model 

(4) Circuit model 


Iever72r , ^“to^ta of 

( implements all of the functions of the top level. The top level 

consists Of axioms which define the output of the circuitry in response to 

i^ts «thout any details of the steps that are performed to acco^llL the 

cc^tation. ftus, the top level is essentially the definition ofT 

Tf function. The second level decomposes the function into sequences 
of steps which can accomplish the overall functionality. The sequences of 
steps are defined hy a finite-auto^ta „«del. Proof tL level “1 

the ^ite 

levTu)'” ‘'"“"'‘"ting that these accomplish the function of 

At level (2) the computation performed by each transition of the finite 

7f T ® "athematical (sub)function. Bie details of how each 

ese s^functions are computed is not specified until level ( 3 ). Level ( 3 ) 

oT» r r ^“"t-«io„s Of level ,2, are accoi^Ushed in termi 

an electronic block diagram. The proof between level (2) and (3) 

71 l^eT^rtt 'T ““ ®'**“'«ions of level (2) are properly cosputed by 
establ- h ficAlly, the proof between level (3) and (4) 

last'Lt: rs;::if": r;‘iA“:::f'Tr 

• third level was also soecifipH 

in ^ in addition to the LCF-LSh specification. Bk properties at each level 

in tte Merarchy must be proved to be theorems in the level below it The 

irl ,T" T'" “ccompHshed 

met^ T accomplished by the 

method of intelligent exhaustion". 


TOP-LEVEL SPECIFICATION OF SIX-BIT COUNTER 

methl^l'”^'' illustrate their apeclficatioiVVerlflcation 

«^oloOT was a six-bit counter. Ihe counter holds a value "count" which is 
ither retained at its current value, loaded with a new value from an external 
ource, or incremented once or twice depending on the value of "func", a two- 
bit control Signal. Ihe infon^l specification for the counter is 
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func - 0 Do nothing; "count" unchanged 

func = 1 Load "count" from a 6-bit parallel input, "loadin 
func - 2 Increment "count": i.e. count ;= count + 1 

func “ 3 Increment "count" twice: i.e. count := count + 2 


In the RSRE report this informal specification is translated into a formal 
specification written in LCF-LSM. The design of the counter is documented by a 
hierarchical specification where each successive level in the hierarchy 
introduces more detail as the result of design decisions. In this paper these 
specifications are presented in Revised Special. 

The formal Specification of the counter in Revised Special is: 


cnt6; MCXXILE 
USING words 
THEORY 

states: TYPE 

word6: TYPE is word[6] 

word2: TYPE is word[2] 

state: VAR states 
loadin, w: VAR word6 
func: VAR word2 

val2: function! word2 -> int] is val(2] 
val6: function[word6 -> int] is val[6] 
niM6: function! int -> word6] is mw!6] 

cnt: function! states -> word6] 

exec_cnt: function! states, word6,word2 -> states] 
ready: function! states -> bool ] 

ad d i mod64; function! word6 -> word6] == 

“ ( LAMBDA w -> word6: 

IF val6(w) = 63 THEN mw6(0) 

ELSE rrtw6(val6(w)+l) 

END ) 

ready ax: AXIOM ready(state) IMPLIES ready! exec_cnt( state, loadin, func) ) 

counter ax: AXIOM ready(state) IMPLIES cnt(exec_cnt( state, loadin, func) ) = 

IF val2(func) = 0 THEU cnt (state) 

ELSIF val2(func) * 1 THEN loadin 
ELSIF val2(func) =■ 2 THEN 
addl_mod64( cnt( state ) ) 

ELSE 

addl_mod64 ( addl_mod64 ( cnt( state ) ) ) 

END 

END cnt6 
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It is unnecessary to present details about Revised Special, since the above 
specification can be understood with a little explanation. (This is probably 
the best way to be introduced to a formal specification language — by way of 
example.) The first line assigns the name "cnt6" to the specification. The 
second line indicates that an external module "words" will be used in this 
module. Ihis will be explained in more detail in the following discussion. 

Ihe next three lines which follow the THEORY keyword define three "types" — 
"states", "word6", and "word2". These types will be used to distinguish logic 
variables v^ich represent the state (or "count") of the machine, 6-bit words, 
and 2-bit words, respectively. Types serve the same function in the formal 
specification language as in a programming language — they enable the 
automatic system to detect user errors. 

The first type "state" is uninterpreted, that is, there is no dcanain of 
values or any meaning associated with it. At this level of abstraction it 
represents the state of the machine, but details about vdiat constitutes the 
state of the machine are not specified. The two types, "word6" and "word2" are 
equated to word[6] and word(2] by the "is" clause. They represent the domain 
of 6-bit words and 2-bit words. N-bit words are used to specify an N-bit 
transmission lines vdiich can be interpreted as integers or as ordered sets of 
boolean values. The properties of the generic type word[N] are defined in the 
module "words" which is discussed in detail in the section entitled 
"SPECIFICATION OF N-BIT WORDS". The next three lines of the specification 
define four logic variables - "state", "loadin'', "w" and "func". (Note. These 
are mathematical variables, not program variables) Next, seven fmctions are 
defined. The meaning of these functions are: 


val2: 
val6: 
itiw6 : 


maps an unsigned 2-bit word to its positive integer equivalent 
maps an unsigned 6-bit word to its positive integer equivalent 
maps a positive integer into an unsigned 6-bit word 


cnt: returns the value of the 6-bit counter when applied to the "state" 

of the machine 

exec^cnt . maps the state of the machine to its new state vdien the counter is 
"executed" 

ready: when applied to the state of the machine returns "true" if and 

only if the machine is in the ready state, i.e. ready to receive 
the next "func". This function is necessary since the execution 
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f i-he counter is not instantaneous. There are intermediate 
states in the machine. It is important to prove that when the 
ortec is executed (i.e. via exec^cnt, the «chine - - 
aTtate whete it is teady to teceive the next in^t. (Note. Th.s 
pcopecty was not considered in the RSPE work). 


addl_i»0d64: adds 1 (modulo-64) to a 6 bit word 


behavior of the counter. "exec cnt". The function 

— ot the c^t. in ^ ,„,cs 

:::::;r-l»:::rrnd ..tunc, and thus detines the ..execution., ot the counter: 


exec_cnt: 


func loadin 
2 1 1 6 


V \/ 



OOUNTTER 


COUNTER 

slate 

state 



cnt: 


COUNTER 

state 


count 


„ this level ot abstraction, the state ^ ^ 7^::^t^rwh:rTe""^ 
_ the value ot the countet an ^ £^,,ion ..cnt... 

machine is ready. The va u indicating v^ether the machine 

- tunction .eady.. ™ by ■exec_cnt... U 

r:llnri:Tady. then the counter will operate correctly and the state ot 
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the counter will be updated according to the "counter ax" axiom if fh i 

then the value of the counter is changed to the value "loadin" if the 

IS s..ple. If the value of the curtent value the state ,i.e. 

7 h r^l^(6r” thre^b^'""^" ^ increment will turn-over the counter to 

• . ( ) - the 6 bit word whose value is 0). Otherwise, it is iust the 

a ue o e counter plus one (i.e. mw6 (val6(cnt( state ) )+l) ).i 

Thus, for "func" = 2 the value of the counter becomes 
addl_mod64 ( cnt (state ) ) 


If the value of "func" is 3, then a double increment is performed: 

^*^'^l_niod6 4 ( addl_mod64 ( cnt ( state ) ) ) 

Ihe second «iom, ■•ready_ax", expresses the concept that a cosplete execution 
— r returns the counter to a ready state, if it was L,i„aUy 


iHt fINITE-STATE AUTOMATA SPECIFICATIC84 

° finite-state automata at this level of 
^Straction. Ihe second level in the hierarchy is called the maior-sta e 

specification in later rsre documents, but is referred to as the finite state 

aut^ta specification throughout this paper. «.e finite automata Isists of 
4 states named "fetch", "incl" "inc2" u consists of 

^ ' and load" shown in figure 1. The 

machine is assumed to start in the "fetch" state. 


The ".ddl niod64" function is dmfin«^ 

i’ Th. notation. Tha 

^rn^' Lr‘-3 
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tunc-0 



Figure 1. Diagram of finite-state automata 

It is necessary not only to describe this finite-state automata formally, but 
also mathematically map the more abstract specification onto this 
specification. These issues are addressed in the next two sections. 

Definition of Finite-state Automata 

The finite state model is defined using two external modules "words" and 
"triples".^ The first module "words" provides a formal definition of what 
constitutes an N-bit word. This specification module is generic and can be 
used for other hardware designs. The module "words" is described in detail in 
the section called "FORMAL SPECIFICATION OF N-BIT WORDS"., The theory of N-bit 
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Modules serve the same 
programming language - 
specifications . 


purpose in Revised Special as they do in a 
they facilitate the definition and re-use 


o f 
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wotds can be used by “inporting” the "»ords" module via a USING clause or the 
similar MAPPING clause. This module defines the folding functions; 

val: maps an N-bit word to an unsigned integer 

mw: maps unsigned integer to an N-bit word 

bit; returns the contents of a specified bit in a word 

These functions are defined in a "parameterized" module (i.e. parameterized by 

N, the number of bits in a word) . Thus, for each "instantiation" of the module 

(i.e. declaration in a USING clause), there are three different functions. For 
example. 


USING words[2], words[6] 


defines two types - word[2) and word(6)- and six functions - val|2J, mw[2) 
bit[2], val(6], mw[6j, bit[6]. 


The module "triples" defines the concept of an "ordered triple". ^ The ordered 
triple has three conponents \diich can be accessed with the functions "first", 
"second", and "third". An ordered triple is created from individual components 
via the function make_triple. The relationship between these functions is 
described by the following axiom in the triples module: 


Make_triple ax: AXIOM 
X » firstTmake_triple(x, y, z)) 

AND y = second (make_tri pie (x, y, z)) 

AND z = third(make_triple(x, y, z)) 

The "state" of the finite-state machine is designated by an ordered triple 

(count, double, node) 
where 


count 


the current value of the counter, 
inclusive 


a number between 0 and 63 


double a boolean variable v^ich is true if and only if a double 
increment is to be performed aouoxe 

node = indicates at which node the machine is currently located 


Hath*«aticians typically use the notation 


(x,y,z) to define 


triple 
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This triple is defined formally as follows: 

USING triples[word[6] ,bool,word[2] ] 

statevector: TYPE is triple 
count: function! statevector -> 

double: function! statevector -> ®®hird^ 

node: function! statevector -> word2 ] is thi 

Ibe first line imports the generic theory of triples. The module was 
paran^terized by "wcrdl61, bool, «crdl2r. Ibis lesulls in a 
*ere the first component is of type «ord(61, the second c^nent is of type 
bool and the third component is wordl2|. To enhance readability of the 
epeclfication, alternate names are given to the names vhich are exported fro 
the "triples- module in the next 4 lines. Thus statevector is an alternate 
name for the type "triple" with the following exponents -- a -hi »^d a 
toolean, and a 2-bit word. The individuai components of the triple 
accessed via the functions — "count", "double", and node 

The allowed transitions of the finite automata are defined by the NEXT 

The aiiowea era -..fatevector" to the new "statevector" in 

function. The NEXT function maps the statevecto 

response to the 2-bit function code "func" and "loadin’’: 


NEXT 


; function! statevector, word6,word2 -> statevector] 


This function was defined as follows in the original version: 


next: function!statevector,word6,word2 -> statevector] = 

(LAMBDA stv,ldn,fn -> statevector. 

IF val2(node(stv) ) = 0 THEN , . 

FETCH! count! stv) ,double(stv) ,ldn,fn) 
ELSIE val2(node(stv) ) = ^ . 

INCl ( count (s tv) , double (stv) ,ldn,fn) 
ELSIF val2 (node! stv ) ) = 2 THEN 

INC2( count! stv) , double (stv) ,ldn,fn) 
ELSE 

load (count (stv) , double (stv) ,ldn,fn) 

END 

unfortunately, when the function was defined in this manner. 


the EHDM theorem 


In EHDM synonyms 


are defined using the keyword "is' 
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prover required excessive anKJunts of time. Ttie properties of "NEXT” 
consequently defined using 4 separate axioms: 


were 


NEXT0_ax: AXIOM val2(node( stv) ) 
NEXT(stv,ldn,fn) 


0 IMPLIES , 

FETCH ( count ( stv ) , double ( stv ) , Idn , f n ) 


NEXTl_ax: AXIOM val2 ( node ( stv) ) 
NEXT(stv,ldn,fn) 


1 IMPLIES 

INCl ( count ( stv ) , double ( s tv ) , Idn , f n ) 


NEXT2_ax: AXIOM val2 ( node ( stv) ) 
NEXT(stv,lcJn,fn) 


2 IMPLIES 

INC2 ( count ( stv ) , double ( stv ) , Idn , f n ) 


NEXT3_ax: AXICXI val2 ( node ( stv) ) 
NEXT(stv,lcin,fn) 


3 IMPLIES 

LOAD ( count ( s tv ) , doubl e ( s t v ) , Idn , f n ) 


By defining the properties of NEXT using four axioms, the theorem prover could 
be directed to find the proof in a more efficient manner.^ The function NEXT 
is defined in terms of the siibfunctions INCl, INC2, LOAD, and FETCH to enhance 
the readability of the specification. Originally all of the subfunctions were 
defined using the LAMBDA syntax. However, in this form the formal proofs 
(i.e., proving that this level implements the top_Level spec) required 
exhorbitant amounts of CPU time. These functions were redefined using 
axiomatic definitions and the proofs required only a few minutes to complete.® 
The total functionality of the counter is captured in the function 
"Finite automata": 


automata: function[statevector,word6,word2 — > statevector] = 

(LAMBDA svt, Idn, fn — > statevector: 

IF val2(fn) = 0 THEN 
NEXT(svt,ldn,fn) 

ELSIF val2(fn) = 3 THEN 

NEXT(NEXT( NEXT(svt,ldn,fn) , ldn,fn ),ldn,fn ) 
ELSE 

NEXT( NEXT(svt,ldn,fn), ldn,fn ) 

END ) 


5 


Ond could easily prove 
which is equivalent to 


that the former specification defines a function 
the function defined by these four axioms. 
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Although defining the subfunctions with axioms increases 
human prover --i.e. one must explicitly cite the axiom 
runctaon is used in a formula being proved — , the 
can be drasticly reduced. The reduction 
citing the functions whose expansion is relevant 


amount 

in proving time 
to the p 


the work of the 

whene ve r the 
of proving time 
comes by only 

roof. 
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This ftinction defines the sequence of calls of "NEXT" which accomplish each 
function. This function represents a "speinning tree" of the graph shown in 
figure 2. 



Figure 2. - Spanning Tree for Finite-Automata 

If "Finite_Automata" is defined properly, the counter will be returned to the 
"fetch" node at the completion of the function as well as performing the 
specified function. 


Mapping to the Top-Level Specification 

The mappings to the higher level of abstraction are made using EHDM mapping 
statements. (In the RSRE report the connections between models were informal). 
EHDM requires that a mapping be provided for every uninterpreted type and every 
consteuat of the module being mapped (i.e. the higher level specification). In 
"cnt6" the following uninterpreted type was defined: 

states 

The following functions were defined: 
cnt, execcnt, ready; 
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These are "mapped" in module "cnt6 fa" as follows: 

cnt6. states: TYPE FROM statevector 

cnt6.cnt: functionf statevector -> word6) is count 

cnt6.exec_cnt: function[ statevector ,word6,word2 -> statevector] 
is Finite_automata 

cnt6. ready: function [statevector -> bool] = 

(LAMBDA stv -> bool: node(stv) = fetchnode ) 

The "cnt6." prefix indicates that "cnt6" functions are being mapped. 

The "cnt6" function "cnt" is mapped to "count" which is an abbreviation for the 
first ccanponent accessor function "first" of type "triples". 

The "cnt6" function "exec_cnt" is mapped to the fxanction "Finiteautomata" . 

The "cnt6" function "ready" is mapped by a function that returns true if and 
only if the automata is currently located at "fetchnode": 

cnt6. ready: function] statevector -> bool] = 

(LAMBDA stv -> bool: node ( Stv) = fetchnode ) 

The need for this function now becomes clear. It is possible that an 
improperly designed counter could return the correct "count" but not correctly 
return the machine to the proper state, namely "fetchnode", where it is ready 
for the next input. This captures the "sequential" nature of the circuit. 

This property was not captured in the RSRE LCF-LSM specification. 

External Interface and Timing Issues 

The RSRE report does not formally define the interaction of the counter 
with respect to asynchronous changes in "func" and "loadin''. The report 
exconined the inpact of changes in "func" and "loadin'' vdiile the finite automata 
is executing by a method called "hoisting the exit conditions". The method is 
built on the concept that the finite automata samples from lists of "func" and 
"loadin'' values. These lists contain countable sequences of values vdiich the 
"func" and "loadin'' lines contain at the time points which the finite automata 
samples them. The finite automata is assumed to be driven by a synchronous 
clock — one clock tick per transition of the finite automata. Thus, the calls 
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to "NEXT" are triggered by the synchronous clock. The analysis given in the 
RSRE report indicates how to match the values in the list with the execution of 

the counter. 

Since it is possible that the value of "func" or "loadin'' can change over 
time, this must be accounted for in the specification. In the cnt6_fa 
specification above it is irt 5 )licitly assumed that the values do not change 
until the counter has returned to the "fetchnode" state. This is implied by 
the fact that all of the calls to "NEXT" in the function "Finiteautomata" , use 
the same values of "Idn" and "fn" (i.e. the parameters vdiich correspond to 
"loadin'' and "func" in the top spec). For exanple, 

NEXT(NEXT( NEXT(svt,ldn,fn) , ldn,fn ),ldn,fn ) 

If this assumption is not valid, the specification could be generalized by 
defining a list of "func" and "loadin'' signal values: 

clocktime: TYPE is int 

funcsigs: function[clocktime -> word2] 
loadinsigs: function! clocktime -> word6] 

These functions "map" the synchronous clock time to the values of "func" and 
"loadin'' at those times. It is necessary to assume that the values of "func" 
and "loadin'' are "stable" at the time that the finite automata sartples them. 

In order to relate the behavior of the finite automata over time to these 
input values it is necessary to extend the definition of state to include time: 

(count, double, node, elk) 

The first three components are as before. The fourth con^x)nent indicates the 
current time, i.e. the number of clock pulses which have been sent to the 
automata thus far. Formally, we would have: 

USING quads! wo rd6, bool, word2,nat] 
statevector: TYPE is quad 
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count: function! statevector -> word6 ] is first 

double: function! statevector -> bool ] is second 
node: function! statevector -> word2 ] is third 

elk: function! statevector -> word2 ] ] is fourth 

Function "NEXT" and its subfunctions would have to be modified to increment the 
value of elk. For exeunple, 


NEXT0_ax: AXIOM val2(node( stv) ) = 0 IMPLIES 

NEXT(stv,ldn,fn) = FETCH ( count ( stv ) ,double( stv) ,clk( stv) ,ldn,fn) 

= IF val2(fn) - 0 THEN 

make_quad ( count ( stv ) , BOOLF{ bi t2 ( 0 , f n ) ) , f etchnode , elk ( stv ) +1 ) 
ELSIF val2(fn) = 1 THEN 

make_quad ( count ( s tv ) , BOOLF ( bi t2 ( 0 , f n ) ) , loadnode , elk ( stv ) +1 ) 
ELSE 

make_quad ( count ( stv ) , BOOLF ( bi t2 ( 0 , f n ) ) , inclnode , elk ( stv ) +1 ) 

END 


The net result would be to formally connect the arguments of "NEXT" in the 
definition of "Finiteautomata" to the sequence of func and loadin values over 
clock time: 


NEXT(NEXT( NEXT( svt , loadinsigs! 1 ] , funcsigs!!] ) , 
loadinsigs!2) , funcsigs!2] ) , 
loadinsigs! 3 ] , funcsigs(3J) 


The cnt6_fa Specification 


The cnt6_fa specification excluding the proofs is: 


cnt6_fa: MODIFLE 

MAPPING cnt6 GOTO words, triples! word! 6 ] ,bool ,word! 2 J ] ,bsignal 
THEORY 

i* create some abbreviations *) 

word2: TYPE is word! 2] 
words : TYPE is word! 6] 

raw2: function! int -> word2] is raw! 2] 

mw6; function! int -> words j is raw! 6] 

val2: f\inction!word2 -> int] is val!2] 

valS: function! words -> int] is vallSJ 

bit2: function! int, word2 -> signalval] is bit! 2] 
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statevector: TYPE is triple 

count: functionl statevector 

double: function! statevector, -> 

node: function! statevector -> word2] is third 

BOOLF: function! signalval -> bool] is signal_to_bool 

define logic constants 

fetchnode: word2 = mw2(0) 
inclnode: word2 = inw2(l) 
inc2node; word2 = mw2(2) 
loadnode: word2 = mw2(3) 
undef_svt: statevector 

define logic variables 

svt: VAR statevector 
ct, Idn, w: VAR word6 
fn; VAR word2 
dbl,b: VAR bool 

. * ) 

define functions 

ADDl: function! word6 -> word6] == 

(LA^DAaW^->)Word6.TH^ mw6(0) ELSE inw6(val6(w)+l) 

END ) 

INCl; function! word6 , bool ,word6 ,word2 -> statevector] 

INCl_ax: AXIOM INCKct, dbl, Idn, fn) - 

' ^ Se™aple ( ADDl ( ct ) , BOOLF( bit2 ( 0 , f n ) ) , inc2node ) 

c iplc ( ADDl ( ct ) , BOOLF( bi t2 ( 0 , fn ) ) , fctchnode ) 

END 

INC2: function!word6,bool,word6,word2 -> statevector] 

™C2_ax: AXIOM ];Suc?’),^LF(bit2<0,fn)),£etchnode, 

LOAD; functionlword6 ,bool ,word6,word2 -> statevector] 

UlAD_ax= AXIOM 

FETCH: function!word6,bool,word6,word2 -> statevector] 

FETCH ax: AXIOM FETCH (ct, dbl, Idn, fn)= 

^ ^ make^tr iple ( ct , BOOLF ( bi t2 ( 0 , f n ) ) , fetchnode ) 
^^^mkr^iple ( ct^BoS^! bit2 ( 0 , fn) ) , loadnode ) 

^^^Lke_tr iple ( ct , BOOLF ( bit2 ( 0 , fn) ) , inclnode ) 

END 


*) 


*) 
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N ^T; function[st atevector^word6,word2 -> statevector] 

NEXT_ax: AXIOM NEXT(svt,ldn,fn) = 


xr vaJ.^^I^oae^SVC; ; - u incJN 

p. ( svt ) , double ( svt ) , Idn , f n ) 

ELSIF val2(node(svt) ) = 1 THEN 

INC1( count (svt), double (svt),ldn fn) 

ELSIF val2( node (svt)) = 2 ^ 

^ f ^ { s vt ) , double ( svt ) , Idn , f n ) 

ELSIF val2(node( svt) ) = 3 THEN 

ELS^^ ^ ^ ( svt ) , Idn, fn ) 


undef_svt 

END 


*) 


NEXT0_ax: AXIOM val2 ( node ( svt ) ) » 0 IMPLIES 

NEXT(svt,ldn,£n) = FETCH(count(svt) .double(svt) ,ldn,fn) 

NEXri_ax: AXIOM val2 ( node { svt ) ) = 1 implies 

NEXT(svt,ldn,fn) = INCl ( count ( svt ) ,double( svt) , Idn, fn) 

^'®^2_ax: AXIOM val2(node( svt) ) = 2 IMPLIES 

NEXT(svt,ldn,fn) = INC2 ( count ( svt ), double (svt ), Idn, fn) 

NEXT3_ax: AXIOM val2 ( node ( svt) ) = 3 IMPLIES 

NEXT(svt,ldn,fn) = LOAD ( count ( svt) ,double( svt) , Idn, fn) 


Plnite_auto.«ta: “nlstatevector,»rd6,word2 -> statevector) 

(LAMBDA svt, Idn, fn -> statevector; 

IF val2(fn) = 0 THEN 
NEXT(svt,ldn,fn) 

ELSIF val2(fn) = 3 THEN 

NEXT(next( NEXT(svt,ldn,fn), ldn,fn ) 
ldn,fn ) 

ELSE 

^N^( NEXT(svt,ldn,fn), ldn,fn ) 

(* Mapping to Top Level Spec in Module cnt6 

cnt6. states: TYPE FROM statevector 

cnte.cnt: function! statevector -> word6J is count 

cnt6.exec_cnt: f^ction[ statevector ,word6,word2 -> statevector] 

IS Finite automata 


cnt6, ready: function! statevector -> bool] = 
(LAMBDA svt -> bool; node (svt) 

end cnt6 fa 


fetchnode ) 


*) 
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strengthening the Top-Level Specification 


The top-level specification defines the operation of the counter when 
"ready" is true, i.e. vdien it is ready for input. But, an implementation that 
is never ready satisfies the specification above. The following mappings would 
satisfy the specification: 

cnt6. ready: function! statevector -> bool) = FALSE 

cnt6. states: TYPE 

cnt6.cnt: function! statevector -> word6] 

cnt6.exec_cnt: function! statevector, word6,word2 -> statevector] 

The following property would preclude trivial implementations: 

reset_ready_ax : AXIOM NOT ready! state) and func = 0 IMPLIES 

ready! execcnt ! state, loadin, func) ) 

This property would define "func=0" as a reset, i.e., regardless of which state 
the counter is currently in, if the counter is "executed" with "func=0" it will 
be returned to "fetchnode". Unfortunately, the RSRE implementation does not 
satisfy this property. If the counter is located at state "inclnode" and 
"double ! state ) " is true, then the counter would transition to "inc2node" in 
response to a "func=0" command. The following more complicated property also 
precludes trivial solutions and is satisfied by the RSRE in5>lementation: 

eventually_ready_ax: AXIOM 

NOT ready! state) and func = 0 IMPLIES 

ready! execcnt !exec_cnt! state, loadin, fimc ), loadin, func) ) 

BLOCK DIAGRAM SPECIFICATICW 


This section describes the third level in the hierarchy — the bloclt 
diagram specification. In the RSRE worlc the bloclt-diagram spec was the lowest 
level of the system specified in the formal language LCF-LSM. They created a 
second description of the block diagram in the hardware design language ELLA 
! ref 3.) The connection hse tween these two theoretically equivalent 
specifications was informal. The connection between the ELLA specification and 
the lower level circuit description was done using the method of "Intelligent 
Exhaustion" !ref. 4.) 
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Hiis specification describes the system as a block dia^rcim illustrated in 
figure 3. 



count nod# doubt# Countlogic 


Figure 3. - Block Diagram Specification 


The finite automata is inplemented by the following blocks (or subcircuits): 

INCLOGIC MULTIPLEX MPLXCCW INCCCK NEXTOODE 

The internal state variables (i.e. count, node and double) are assumed to be 
stored by latches which maintain their values between clocjt ticks. This is not 
®^piicitly formalized in the RSRE methodology. Conseguently, it is possible 
that an inplementation which failed to store these variables in latches would 
not be detected as erroneous by the RSRE methodology. Although informally this 
could be checked, it is not clear how this could be detected by an automatic 
theorem prover. 
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The cnt6 blk specification without proofs is: 


cnt6_blk : MODULE 
MAPPTnG cnt6_fa ONTO 


words, triples[word[6] , bool, word[2] ) ,bsignal 


THEORY 
(* - 


define abbreviations for 'words' 


*) 


word2: TYPE is word[2] 
word6: TYPE is word[6] 


mw2: functionlint -> word2] is ntw[2 
val2: function[word2 -> int] is val[2] 
bit2: function; int, word2 -> signalvalj 
mw6: function; int -> word6] is ntw;6 
val6: function; word6 -> int] is vai;6] 
bit6: function; int, word6 -> signalval] 


is bit;2] 
is bit;6] 


BOOLF: function; signalval -> bool] is signal_to_bool 


statevector: TYPE is triple 

logic constants defined in cnt6_fa 

fetchnode: word2 = inw2(0) 
inclnode: word2 = mw2(l) 
inc2node: word2 = nrw2(2) 
loadnode: word2 = nrw2(3) 

define logic variables 


■— *) 


stv: VAR statevector 
ct,incout,loadin: VAR word6 
noinc: VAR bool 
nd,func: VAR word2 
dbl: VAR bool 
mplxsel: VAR bool 

define functions - 

INCLOGIC: function;word6 ,bool -> word6] 
INCLOGIC ax: AXIOM INCLOGIC (ct, noinc) - 
“ IF noinc THEN ct 
ELSE ADDl(ct) 

END 


MULTIPLEX: function; word6 ,word6, bool > word6] 

multiplex ax: AXIOM MULTIPLEX; incout, loadin, 
“ IF mplxsel THEN' incout 

ELSE loadin 


mplxsel) = 


END 
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MPLXCX)N: function[ word2 -> bool] = 

(LAMBDA nd -> bool: NOT (val2(nd) = 3) ) 

INCCON: fvinction[word2 -> bool] = 

(LAMBDA nd -> bool: (val2(nd) =0) ) 


NEXTOODE: function [word2,word2, bool -> word2] 

( * 

NEXTNODE_ax: AXIC»1 NEXTNODE { nd , f unc , dbl ) = 

IF val2(nd) = 0 THEN 

IF val2(func) = 0 THEN fetchnode 
ELSIF val2(func) = 1 THEN loadnode 
ELSE inclnode 
END 

ELSIF val2(nd) = 1 THEN 
IF dbl THEN inc2node 

ELSE fetchnode 

END 

ELSE 

fetchnode 

END 


NEXTODDE0_ax: AXIOM val2(nd) - 0 IMPLIES 
NEXTNODE ( nd , f unc , dbl ) = 

IF val2(func) = 0 THEN fetchnode 
ELSIF val2(func) = 1 THEN loadnode 
ELSE inclnode 
END 


- *) 


NE3tTOODEl_ax: AXIOM val2(nd) = 1 IMPLIES 

NEXTWODE(nd,func,dbl) = if dbl THEN inc2node 

ELSE fetchnode 
END 

NEXTOODE2a3_ax: AXIOM val2(nd) = 2 or val2(nd) = 3 IMPLIES 

NEXTNODE (nd,f unc, dbl) = fetchnode 

COUNTLOGIC: function! statevector ,word6,word2 -> statevector] = 

(L^DA stv, loadin, func -> statevector: 
make_triple( MULTIPLEX] INCL0GIC( count (stv) , 

INCC(X^( node ( stv ) ) ) , 

loadin, 

MPLXCON ( node] stv) ) ), 
BOOLF(bit2(0,func)), 

NEXTNODE (node (stv), func, double (s tv ) ) ) 


cnte fa.NEXT: functionlstatevector,word6,word2 -> statevectorl - COUNTLOGIC 
END cnt6 blk 


■v 
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SPECIFICATION OF CIRCUIT 


In this section the 6-bit counter is expressed in terms of low-level circuit 
elements — NAND2, INV, XNOR, etc. In the .RSRE paper, this level was only 
defined in the ELLA language. Although the MAPPINGS to "cnt6_blk" have been 
included, none of the proofs between this level and the block model have yet 
been attempted. 


Listing of Cnt6_cir 


cnt6 cir: MODULE 

MAPPING cnt6_blk ONTO words, triples, bsignal 
THEORY 

(* abbreviations *) 

word2: TYPE is word(2] 
word6; TYPE is word[6] 

cntrlsigs: TYPE is triple[bool,bool,word(2] ] 

bit2; function[ int, word2 -> bool] is bit] 2] 
bit6: function! int, word6 -> bool] is bit] 6] 
assign2: function] int, bool, word2 -> word2] is assign] 2] 
assign6: function] int, bool, word6 -> word6] is assignJ6] 

(* circuit elements *) 

b,bl,b2,b3,b4: VAR bool 

INV: function ]bool -> bool] = (LAMBDA b -> bool: not b) 

NAND2: function ]bool, bool -> bool] = 

(LAMBDA bl,b2 -> bool: not (bl and b2)) 

NAND3: function ]bool, bool, bool -> bool] = 

(LAMBDA bl,b2,b3 -> bool: not (bl and b2 and b3)) 

NAND4: function ]bool, bool, bool, bool -> bool] = 

(LAMBDA bl,b2,b3,b4 -> bool: not (bl and b2 and b3 and b4)) 

XNOR: function ]bool, bool -> bool] = 

(LAMBDA bl,b2 -> bool: not (not bl and b2 or bl and not b2)) 

NOR2: function ]bool, bool -> bool] = 

(LAMBDA bl,b2 -> bool: not (bl or b2)) 

(* logic variables *) 


i0,il,i2,i3,i4,i5: VAR bool 
lbit,isel,incbit,incsel: VAR bool 
incout,loadin,cntr : VAR word6 


21 


nplxsel,noinc, Double: VAR bool 
Node,Func: VAR word2 


(* circuit definition *) 

output: function [bool, bool, bool, bool, bool, bool -> word6] = 

(LAMBDA iO, il , i2, i3, i4 , i5 -> word6; 
assign6( 0, iO, 
assigned, il, 
assign6(2, i2, 
assign6(3,i3, 
assigns ( 4, i4, 

assign6(5,i5,newword(6] ))))))) 


bitsel: function [bool, bool, bool, bool -> bool) = 

(LAMBDA lbit,lsel,incbit,incsel -> bool; 

NAND2( NAND2(lbit,lsel), NAND2( incbit, incsel ) ) ) 


MPLEXCIRC: function[word6,word6,bool -> word6] 

MPLEXCIRC_ax: AXIOM MPLEXCIRC ( incout, loadin, n^lxsel) = 
output ( 

bitsel ( bi te ( 0 , loadin ) , INV( itplxsel ) , bi t6 ( 0 , incout ) ,irplxsel ) , 
bitsel (bite ( 1 , loadin) , INV(nplxsel ) ,bitS( 1, incout) ,nqplxsel ) , 
bitsel(bite( 2, loadin) , INV(itplxsel) , bite (2, incout) ,nplxsel ) , 
bitsel ( bi te ( 3 , loadin ) , INV( mplxsel ) , bi t6 ( 3 , incout ) ,nplxsel ) , 
bitsel (bite ( 4 , loadin ) , INV( mplxsel ) ,bit6( 4 , incout) ,nplxsel ) , 
bitsel (bite( 5, loadin) , INV(nplxsel ) ,bit6( 5, incout ) ,nplxsel ) 

carry4bar: function[ words, bool -> bool] = 

(LAMBDA cntr,noinc -> bool: 

NAND4( INV(noinc) ,bitS(0,cntr) ,bit6(l,cntr) ,bit6(l,cntr) ) 


INCCIRC: function] words, bool -> word6] = 

(LAMBDA cntr,noinc -> wordS: 
output ( 

XNOR(bitS( 0,cntr ) , noinc), 

XNOR(bitS(l,cntr), NAND2(INV(noiac) ,bit6(0,cntr) ) ), 
XNOR(bit6( 2,cntr ) , 

NW^3( INV(noinc), bit6( 0,cntr ) , bit6(l,cntr) ) ), 
XNOR(bitS( 3,cntr ) , car ry4bar(cntr, noinc) ) , 
XNOR(bitS(4,cntr) , 

NAND2(INV(carry4bar(cntr, noinc)), bit6(3,cntr) ) 


XNOR(bitS(5,cntr), 

NAND3( INV( carry4bar(cntr, noinc) ) , 
bitS(3,cntr) , 
bitS(4,cntr) ) ) 

) 

) 
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inccon: function[word2 -> bool] = 

(LAMBDA Node -> bool: 

NOR2(bit2(0, Node) ,bit2(l, Node) ) ) 

common; function! word2 ,word2 -> bool] = 

(LAMBDA Node,Func -> bool: 

NAND3(inccon(Node) ,INV(bit2(l,Func) ),bit2(0,Func)) ) 

CONTROLCIR: function[word2,word2,bool -> cntrlsigs] = 

(LAMBDA Node , Func , Double -> cntrlsigs: 
make triple( inccon(Node) , 

NAND2(bit2(0, Node) ,bit2(l, Node) ) , 
assign2(0, NAND2 (common (Node, Func ) , 

NAND2 ( inccon( Node ) ,bit2( 1, Func) ) 

), 

assign2( l,NAND2(common(Node,Func) , 

NAND3( Double, 

bit2(0,Node) , 
INV(bit2(l,Node) ) )), 

newword[2] ) 

) 


(* Mappings to "cnt6_blk" 

cnt6 blk.INCLOGIC; function(word6,bool -> word6j = INCCIRC 

cnt6 blk. MULTIPLEX: function[word6,word6,bool -> word6] = MPLEXCIRC 

cnt6 blk. INCCON: function] word2,word2, bool -> bool] = 

“ (LAMBDA Node , Func , Double -> bool: 

fi r St ( CCWTROLCIR( Node , Func , Double ) ) 

) 

cnt6 blk.MPLXCC»J: function[word2,word2,bool -> bool] = 

~ (LAMBDA Node, Func, Double -> bool: 

second ( CONTROLCIR( Node , Func , Double ) ) 

) 

cnt6 blk.NEXTOODE: function[word2,word2,bool -> word2] = 

— (LAMBDA Node, Func, Double -> word2: 

thi rd( CONTROLCIR( Node , Func , Double ) ) 

) 

END cnt6 cir 
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Translation of Circuit-Spec to Silicon 


Although the circuit-level description is defined in terms of only low- 
level circuit elements, this level does not explicitly specify the layout of 
the circuit. There are many problems to be addressed here. The first is 
uncovering the basic element interconnections from the functional description. 
For example, suppose we have the following circuit specification 


BLACK_BOX: function! bool, bool, bool, bool -> bool] 

(LAMBDA il,i2,i3,i4 -> bool: 

NAND3( XN0R(il,i2), 

NAND2(XNOR(il,i2), INV(XNOR( i3, i4 ) ) ) 
XNOR(i3,i4) 

) 

) 

A brute-force implementation of this function would yield: 





follows^^' common sub-expressions, this could be implemented as 
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The concept of hierarchical specification depends on the idea of proving 
the axioms of a specification level as theorems in the level below it. One 
first maps the uninterpreted types and constants of the high level theory into 
more concrete objects in the lower level. The axioms of the high level 
specification are mapped down (using the mappings) to the objects of the lower 
level and proved as theorems there: 


AXIOMS Aj , A^ 


I Map 

I 

V 


I AXIOMS Bj , , B3 , B., 


One must then prove that Map(Aj ) and Map(A, ) follow from B, , B, , Bj , B^ . 

In the next two sections, the proofs which establish the connection from 
the block model specification up to tlie top specification ate presented 

informally. 
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Proof Between Top Level Spec and Major State Machine Spec 

There were two axioms of the top level spec "cnt6": "counter ax" and 
"readyax". 


com,ter_ax: AXIOM ready ( state ) IMPLIES cnt (exee_ent( state, loadin, func ) ) . 
IF val2(func) = 0 THEN cnt( state) 

ELSIF val2(func) = 1 THEN loadin 
ELSIF val2(func) = 2 THEN 
addl mod64 ( cnt { state ) ) 

ELSE 

addl_mod64 ( addl rood64 ( cnt( state ) ) ) 

END ~ 


^en ”counter_ax" is napped down to the next level, the (unctions "ready”, 
"cnt", and "execcnt", are interpreted in terms of their mapping definitiOTs. 
Thus, in the lower level, the "counter ax" is: 


node (state) = fetchnode IMPLIES 

count(Finite_autoraata(state, loadin, func) ) = 

IF val2(func) = 0 THEN count(state) 
ELSIF val2(func) = 1 THEN loadin 
ELSIF val2(func) = 2 THEN 
addl_mod64 ( count ( state ) ) 

ELSE 

( addl mod64 ( count ( state 
END ~ 


) 


This must be proved as a theorem in terms of the axioms of "cnt6_fa". The 
basic strategy is to decompose this theorem into four cases: 


Case 1: val2(func) = 0 
Case 2: val2(func) = 1 
Case 3: val2(func) = 2 
Case 4: val2(func) = 3 


First, one lenmia is proved which simplifies the proof of the (our cases. Next 

each case rs proved separately. Finally, "counter ax" is proved from these 
four cases: 
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Proof of a Lemma 


stbl: LEMMA ready(st) IMPLIES val2(node(st) ) = 0 

-I 

Proof: By definition, ready(st) => ( node(st) = fetchnode ) 

=> ( node(st) = mw2(0) ). 

Thus, 

ready(st) ==> val2(node( st) ) = val2(mw2(0)) 

By the "val_mw_thm" theorem of words{2) we have: 

ready(st) ==> val2(node(st) ) = val2(mw2(0)) = 0 
Endproof . 

Proof of cnt 0 

cnt_0: LEMMA ready (state) and val2(func) = 0 

IMPLIES cnt( exec_cnt( state, loadin, func ) ) = cnt(state) 

Proof: From the definition of "exec_cnt" and val2(func)=0 we have: 

cnt(exec_cnt( state, loadin, fxanc) ) = 

cnt( NEXT( state, loadin, func), loadin, func ) 

Using "NEXTax", the preceeding lemma, and "FETCHax" we have: 

cnt (exec_cnt( state, loadin, func) ) = 

cnt( FETCH( cnt (state) , doublet ( state ), loadin, func) ) = 
cnt( make_tripie(cnt(state) ,BOOLF(bit2(0, func) ), fetchnode) ) 

Finally by definition of "cnt" and the "maketripleax" we have: 

cnt (exec_cnt( state, loadin, func) ) = 
cnt( state ) 

Endproof . 
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Proof of cnt 1 


cntl: LENMft ready( state) and val2(func) * 1 

IZ1PLIES cnt (exec_cnt{ state, loadin, func ) ) - loadin 


Proof; 

cnt ( exec_cnt ( state , loadin , fxonc ) ) ■• { * next ax * ) 

cnt( NEXT( NEXT( state, loadin, func ) , loadin, func )) = 
cnt( NEXT( FETCH( cnt (state) ,doxiblef(state) , loadin, func) )) - 
cnt( NEXT( make_triple(cnt(state),B00LF(bit2(0,f\inc)),loadnode) 
loadin, func )) = 

(* Since VAL2(loadnode) * 3 *) 

cnt ( IX3AD( cnt ( maket r iple { cnt (state ) , BOOLF ( bi t2 ( 0 , func ) ) , loadnode ) , 

doublef ( roake_triple( cnt ( state ) ,BOOLF( bit2 ( 0 , func ) ) , loadnode ) , 
loadin, func) ) - 
cnt ( IXAD( cnt ( state ) , 

BOOLF(bit2(0,func)), 
loadin, func) ) - 

cnt( make_tr iple (loadin, BOOLF (bit2(0, func )),fetchnode) ) = 

loadin 
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Proof of cnt 2 


cnt 2: LETDIA ready (state) and val2(func) - 2 

IMPLIES cnt ( exec_cnt ( state , loadin, func ) ) « 
IF val6 ( cnt ( state ) ) - 63 THEN niw6(0) 
ELSE mw6(val6(cnt(state) )+l) 

END 


Proof: 

cnt (exec_cnt( state, loadin, func ) ) = (* NEXT_ax *) 

cnt( NEJ{T( NEXT( state, loadin, func), loadin, func )) - 
cnt( NEXT( FETCH( cnt (state) ,doublef(state) , loadin, func) )) * 
cnt( NEXT( make_tr iple( cnt ( state ),BOOLF(bit2(0, func )),inclnode) 
loadin, func )) = 

(* Since VAL2(inc Inode) *= 1 *) 

cnt ( INCl ( cnt ( raa)ce_t r i pie ( cnt ( state ) , BOOLF ( bi t2 ( 0 , func ) ) , inclnode ) , 

doublef (make_triple(cnt(state) ,BOOLF(bit2(0,func) ), inclnode) , 
loadin, func) ) “ 
cnt ( INCl ( cnt (state), 

BOOLF (bit2(0,f me), 
loadin, f me) ) - 

Since bit2(0,func) “ 0 =*=> BOOLF ( bi t2 ( 0, f unc ) ) = false *) 

cnt ( make_t r iple ( ADDl ( cnt ( state ) ) , BOOLF ( bi t2 ( 0 , fmc ) ) , f e tchnode ) ) - 
AI»1 ( cnt ( state ) ) « 

IF val6 ( cnt ( state ) ) » 63 THEN mw6(0) ELSE mw6 (val6( cnt ( state ) )+l) 

END 

Proof of cnt 3 


cnt_3; LEMMA ready (state) and val2(fmc) = 3 

IMPLIES cnt (exec_cnt( state, loadin, f me ) ) =* 

IF val6 (cnt( state ) ) = 63 THEN inw6(l) 
ELSIF val6 ( cnt ( state ) ) » 62 THEU mw6(0) 
ELSE raw6(val6(cnt(state) )+2) 

END 
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Proof: 


cnt(6X6c cnt { ststs » lo3clin, func ) ) = next 3x *) 

cnt( NEXT( NEXT( NEXT( st3te,lo3din,func) , lo3din,func ), lo3din,func) ) = 
cnt( NEXT( NEIXT( FETCH(cnt(st3te) »doublef(st3te) ,lo 3 din,func) ) , 
lo3din,func) » 

cnt( NEXT( NE3Cr( m3ke_triple(cnt(st3te),BOOLF(bit2(0,func)),inclnode) 

l03din,func ), lo3din,func )) = 

( * Since VAL2 ( inclnode ) * 1 * ) 

cnt(NEXT( 

INCl ( cnt ( iraketr iple ( cnt ( st3te ) , BOOLF( bit2 ( 0 , func ) ) , inclnode ) , 

doublef (m3ke_triple(cnt(st3te) ,BOOLF(bit2(0,func) ), inclnode) , 
lo3din , func ) , losdin , func ) ) = 
cnt(NEXT( INC1( cnt(st 3 te), 

BOOLF(bit2(0,func), 
lo3din, func ) ,lo3din, func) ) «= 

(* Since bit2(0,func) - 1 — > BOOLF(bit2(0,func) ) - true *) 

cnt ( NE3tT( m3ke_tr iple { ADDl ( cnt ( st3te ) ) , BCX)LF ( bi t2 ( 0 , func ) ) , inc2node ) , 
loadin,func) ) = 

cnt ( INC2 ( cnt ( make t r iple ( AI®1 ( cnt (state)), BOOLF{ bi t2 ( 0 , func ) ) ) , 

doublef( make_triple(ADDl(cnt(state)),BOOLF(bit2(0,func)) ), 

loadin, func) ) = 
cnt ( INC2( ADDl ( cnt ( state )) , 

BOOLF(bit2(0,func)), 
loadin, func ) ) * 

cnt( nake_triple(ADDl((ADDl(cnt(state))),BOOLF(bit2(0,func)),fetchnode) ) = 

ADDl ( (ADDl (cnt (state) ) ) = 

ADD1(IF val6(ADDl (cnt( State) ) ) = 63 THEN mw6(0) 

ELSE mw6(val6(ADDl(cnt(state) ) )+l) END ) 

IF val6(IF val6(ADDl (cnt( state) ) ) = 63 THEN mw6(0) 

ELSE mw6 (val6 (ADDl ( cnt ( state )) )+l) END) - 63 THEN inw6(0) 

ELSE inw6(val6(IF val6( ADDl ( cnt ( state) ) ) = 63 THEN mw6(0) 

ELSE niw6 (val6( ADDl ( cnt ( sta te )) )+l) END)+1) 

END 
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IF val6 (cnt( state ) ) >= 63 THEN mw6(l) 
ELSIF val6 (cnt( state ) ) * 62 THEN niw6(0) 
ELSE mw6(val6(cnt(state) )+2) 

END 

Proof of the cnt6 axioms 


ready ax: AXIOM ready(state) IMPLIES ready( exec_cnt( state, loadin,func) ) 

counter ax: AXIOM ready(state) IMPLIES cnt(exec_cnt(state,loadin,func) ) = 

IF val2(func) ■= 0 THEN cnt( state) 

ELSIF val2(func) = 1 THEN loadin 
ELSIF val2(func) » 2 THEN 
addl_mod64 ( cnt ( state ) ) 

ELSE 

addl_mod64 ( addl_mod64 ( cnt ( state ) ) ) 

END 

The "counter_ax" follows from "cnt_0", ”cnt_l", ''cnt_2", and "cnt_3" and the 
"val range_thm" applied to "func". The "valrangethm" is needed to establish 
that "func" can only be equal to 0, 1, 2, or 3. Thus the "ELSE" clause in 
"counterax" applies to "func" = 3 only. Thus, counterax follows directly 
from cnt_0, cntl, cnt_2, cnt_3, and val_range_thm[ 2 ] . The axiom "readyax" is 
proved from the same lemmas. 

Proof Between Major State Machine Spec and Block Model Spec 


In this section the connection between the major state machine model and 
the block diagram spec is demonstrated via informal proof. The following 
axioms of the major state machine model must be proved as theorems in the Block 
Model : 


NEXT0_ax: AXIOM val2(node( stv) ) 
NEXT(stv,ldn,fn) 


0 IMPLIES 

FETCH( count (stv) ,double(stv) ,ldn,fn) 


NEXTl_ax : AXIOM val 2 ( node ( stv ) ) 
NEXT( stv , Idn , f n ) 


1 IMPLIES 

INCl ( count ( Stv ) , double ( stv ) , Idn , f n ) 


NEXT2_ax : AXIOM val2 ( node ( stv ) ) 
NEXT(stv,ldn,fn) 


2 IMPLIES 

INC2 ( count ( stv ) , double ( stv ) , Idn , f n ) 


NEXT3_ax: AXIOM val2 ( node ( stv) ) 
NEXT( stv , Idn , f n ) 


3 IMPLIES 

LQAD( count ( Stv ) , double ( stv ) , Idn , f n ) 
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The function "NEXT" is mapped onto "COUNTLOGIC" at this level, so each of these 
axioms must be proved with respect to the "COUNTLCX3IC" implementation: 


NEXT0_ax: AXIOM val2(node( stv) ) = 0 IMPLIES 

CXXJNTLOGIC(stv,ldn,fn) = FETCH(count(stv) ,double(stv) ,ldn,fn) 


Proof: 

COUNTLOGlC( stv, loadin, func) = 

make_triple ( MULTIPLEX( INCLOGIC( count ( stv ) , INC(X)N( node ( stv ) ) ) , 

loadin, 

MPLXCON( node ( stv ) ) ) , 
BOOLF(bit2(0,func)), 

NEXTNODE ( node ( stv ), func, double (node) ) ) = 

{ by definition of INCCW and MPLXCON: } 

make_triple( MULTIPLEX(lNCLOGIC(count(stv) , 

( val2( node ( stv ) ) = 0) ), 

loadin, 

NOT ( val2( node ( stv) ) =3)), 
BOOLF(bit2(0,func)), 

NEXTOODE ( node ( stv ) , func , double ( node ) ) ) ■= 

make_triple( MULTIPLEX(INCLOGIC(count(stv) , 

true ) , 

loadin, 
true ) , 

BOOLF(bit2(0,func)), 

NEXTNODE { node ( stv ) , func , double ( node ) ) ) *■ 


{ by INCLOGICax: } 

make_triple( MULTIPLEX( count ( stv ) , 

loadin, 
true ) , 

BOOLF(bit2(0,func)), 

NEXTNODE ( node (s tv ), func, double (node) ) ) » 


{ by MULTI PLEXax: } 

make_triple( count (stv), 

BOOLF(bit2(0,func)), 

NEXTNODE ( node ( stv ) , func , double ( node ) ) ) ■ 


{ by FETCHax: ) 


FETCH (cnt( stv) ,doublef ( stv) , loadin, func) = 
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( The last step follows from the fact that val2(node(stv) = 0 IMPLIES that 

NEX1NCX)E( node ( stv ) ,func, double (node) ) ) is an element of 

{ fetchnode , loadnode , inclnode) 


Endproof 




Proof: 

C0»mX)GIC(stv, «^LTIPI«(INCUX;iC(count(stv) ,INCCON(no^^ ) ) , 

“ loadin, 

MPLXCX»J(node( stv) ) ) , 
BOOLF(bit2(0,func)), ^ x 

NEXTN0DE( node ( stv) ,func,dov±>le( node) ) ) = 


{ by definition of MPLXCCX^: } 

make triple( MULTIPLEX(INCLOGIC(count(stv) ,INCCON(node(stv) ) ) , 

~ loadin, 

N0T(val2(node(stv) )=3) ), 
BOOLF(bit2(0,func)), ^ v 

NEXTNODE ( node (s tv ) ,func, double (node) ) ) = 


{ by INCLOGICax : } 

make triple( MULTIPLEX(ADDl ( count ( stv ) , 

~ loadin, 

true ) , 

BOOLF(bit2(0,func)), ^ , 

NEXTNODE ( node (s tv ) ,func,double( node) ) ) = 


{ by MULTIPLEXax : } 


make triple( ADDl ( count ( stv ) , 

BOOLF(bit2(0,func)), ^ , 

. NEXTNODE(node( stv) ,func, double (node) ) ) - 


{ by INClax: } 

INCl ( cnt ( stv ) , double ( stv ) , loadin , f unc ) = 


( The last step follows from the fact that val2(node(stv) = 1 IMPLIES that 

NEXTNC»E ( node ( stv ) ,f\inc, double (node) ) ) is an element of 

{ fetchnode , inc2node } 


Endproof 
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NEXT2_ax: AXIOM val2(node( stv) ) « 2 IMPLIES ~ ~ 

COUI^IC ( =_INC2( count ( stv ) , double ( stv ) , Idn , f n ) 

Proof: 


00U^^TOGIC(stv, loadin, func) ■ 

inake_triple{ MULTIPLEX( INCIX3GIC( count(stv) , INCCON( node ( stv) ) ) 

loadin, " 

MPLXOON( node { stv ) ) ) , 
BOOLF(bit2(0,func)), 

NEXTNODE ( node (s tv ) ,func,double( node) ) ) = 

nake_ttiple ( MULTIPLEX( INtX0GiC( count ( stv) , INCCON( node( stv) 1 ) 

loadin, ' 

NOT(val2(node(stv))-3) ), 
BOOLF(bit2(0,func)), 

I by INCLOGIC ax: ] *^®^™ODE(node( stv) ,func,double( node) ) ) - 


make_triple( 


[ by MULTIPLEXax: ] 


MULTI PLEX(ADDl ( count ( stv) , 
loadin, 
true), 

BOOLF(bit2(0,func)), 

NEXTNODE ( node ( stv ) , func , double ( node ) ) 


) = 


make_triple( ADDl ( count ( stv ) , 

BOOLF ( bi t2 ( 0 , func ) ) ^ 

NEXTN0DE( node ( stv ), func, double (node) ) ) = 

[ by NEXTNODE2a3_ax: ) 


niake_triple( ADDl (coiont( stv) ), 

BOOLF(bit2(0,func)), 
fetchnode ) = 

{ by INC2_ax: } 


INC2 ( cnt ( stv ) , double ( stv ) , loadin , fiinc ) = 


^'®^3_3x: axiom val2 ( node ( stv ) ) = 3 IMPLIES ~ 

^°^J^^^'rLOGIC(stv,ldn, fn) = LQAD{count(stv) ,double(stv) ,ldn,fn) 


34 



make triple (MULTIPLEDC( INCLOGIC ( count ( stv ) ,INCCCW( node ( stv) ) ) , 
“ loadin, 

MPLXCON( node ( stv ) ) ) , 

BOOLF(bit2(0,func) ) , 

NEXINODE ( node ( s tv ) , f unc , double ( node ) ) ) = 

make triple(MULTIPLEX(INCLOGIC(count(stv) ,val2(node(stv) )-0) , 
“ loadin, 

N0T(val2(node(stv) )=3) ), 

BOOLF ( bi t2 ( 0 , f unc ) ) , 

NEXTNODE ( node ( stv ) ,func,double( node) ) ) = 

[ by INCLOGICax; ] 

make triple(MULTIPLEX( (count(stv) 

loadin, 

N0T(val2(node(stv) )=3) ), 

BOOLF ( bi t 2 ( 0 , f unc ) ) , 

NEXTNODE ( node ( stv ) ,func,double( node) ) ) = 

( by MULTIPLEX_ax: ] 

make triplet loadin, 

" BOOLF(bit2(0,func) ) , 

NEXTN0DE( node (s tv ) ,fijnc, double (node) ) ) = 


[ by NEXlNODE2a3_ax : ] 


make triplet loadin, 

“ BOOLF(bit2(0,func) ) , 

fetchnode ) = 


{ by LOftD ax: } 

LQAD(cnttstv) , double (stv) , loadin, f unc) = 


Proof Between Block Diagram Spec and Circuit Level Spec 


in the RSRE methodology, the proof between the block-diagram specification 
and the circuit-level specification is accomplished by the method of 
intelligent exhaustion (ref. 4) or the more recent "NODEN" method (ref 5). The 
proofs at this level have not yet been attenpted. Future work will investigate 
the advantages and disadvantages of "NODEN" versus EHDM proof. 
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SPECIFICATION OF N-BIT WORDS 


A physical row of input or output lines are often interpreted as integers 
in some hardware devices. Of course the range of integer values which can be 
presented on N wires is finite, usually taken to be 0 to 2"-l. it is necessary 
to build a theory which enables one to reason about such rows of signal values 
as integers, in a sinple manner. This section describes such a theory, in 
this theory a row of N inputs is referred to as a "N-bit word". This theory 
has been defined in a separate module "words" to facilitate its reuse. This 
module should be usable by most hardware verification projects without 
modification. 


It IS necessary to first define the possible signal values which can appear 
on a single line. For simplicity, the set of boolean values: {true, false) are 
used to represent signal values in "words", in the RSRE reports, the domain of 
signal values range over t, f, x, z, q and i, which stand for true, false, 
don't care, tri-state high impedance, unaltered menKiry element and 


indeterminate, respectively. The x. 


z, q, and i values were not needed to 


verify the counter in EHDM so the simpler boolean domain was used. Appendix A 
shows how the theory of words can be generalized to include these other values. 


Conceptually, a word consists of N bits which are indexed by an integer 
between 0 and N-1 inclusive. Thus, the module is defined in terms of a generic 
parameter "N" which is the number of bits in the word. This module exports the 
type "word[N]". if only one type of word will be used in a specification, the 
user can declare the size of the words in a USING clause, e.g. 


USING words [32] 


and the identifier "word" can be used instead of word) 32). if more than one 
word type is needed, then the following using clause is used: 

USING words 

and the user must cite the length of the word explicitly, e.g. word(32], 
word[16), etc. This module also defines the following functions: 
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val(w); returns the unsigned integer value of the N-bit word "w" 
niw(i): returns an N-bit word containing the binary representation of the 

unsigned integer "i”. 

bit(i,w); returns the contents of the "ith" bit of word "w" 
assign(i,b,w) : assigns the boolean value "b" to the "ith" bit of word "w" 

If there is only one declaration of the "words" module, then the above 
functions cab be abbreviated as "val", "mw", "bit" and "assign". If there are 
multiple declarations of the "words" module, then the function names cannot t>e 
abbreviated, e.g.; 

valt32](w); returns the unsigned integer value of the 32-bit word "w" 

val[12)(w); returns the unsigned integer value of the 12-bit word "w" 

bit[16J(i,w) : returns the contents of the "ith" bit of the 16-bit word "w" 
assign(12](i,b,w) : assigns "b" to the "ith" bit of the 12-bit word "w" 

The "bit" and "assign" functions enable the access and modification of 
individual bits of a N-bit word. These functions are defined formally as 
follows: 

bitassign: AXIOM (i >= 0 and i < N) IMPLIES 

bit( i,assign(k,b,w) ) = 

( IF k = i THEN b ELSE bit(i,w) END ) 

Thus, bit and assign are defined in terms of each other. The axiom defines 

the effect of retrieving a bit from a word v»tiich has been modified by assigning 
a new value to one of its bits. If the bit being retrieved is the same as the 
one just assigned, the new value is retrieved. Otherwise, the value retrieved 
is the same as before the assignment. Thus, assigning a bit in a word does not 
affect any other bit in the word. It should be noted that these functions are 
not defined in a "constructional" manner; that is, they have not been defined 
separately in terms of previously defined primitives. Their properties have 
been defined axiomatically in terms of each other. Such axioms must be 
carefully scrutinized to insure that inconsistencies are not introduced into 
the specification. 

This method of defining a word differs considerably from the way they were 
defined in the RSRE report using LCF-LSM. In LCF-LSM there are specific built- 
in functions that manipulate lists of objects. In the RSRE work, a word is 
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represented by a list of objects. Thus, they "construct" a word using more 
primitive functions. 

In the top-level specification of the 6-bit counter, its behavior is 
defined in terms of modulo-64 arithmetic over integers. Thus, it is necessai^ 
to define functions which "interpret" an N-bit word as an integer. The "val" 
and "mw" functions perform this duty. The "val" function is defined 
recursively as follows: 


valm: function[word,int,int -> int] 

valm def; AXIOM valm(w,m,n) = IF m - 0 THEN 0 

- else 2*valm(w,m-l,n) 

END 


+ BOOLVAL(bit(n-m,w) ) 


val: function{word -> int] 
valjJef: AXIW val(w) = valm{w,N,N) 

Similarly, the "raw" function is defined recursively: 


raw; function[int -> word] 

mwm: function] int, int, int -> word] 

mwm def: AXIOM rawm(v,m,n) = IF m = 0 THEN newword 
- ELSE 

assign(n— m,BOOLVAR(MOD2(v) ) , 
inwm(DIVBY2(v),m-l,n) ) 

END 

The constant "newword" used in "rawm def" above represents an undefined 
word. It is defined formally as: 

accessnew: AXIOM bit(k, newword) =,f 

The major theorem of this module establishes that val and mw are inverse 
functions : 

( ii >- 0 AND ii < power2(N) ) IMPLIES val(mw(ii)) - ii 

The specification of "words" is: 

words; MODULE] N: int] 

USING power 2_th,divby2_th 

exporting word, newword, bit, assign, val, mw, nRfln, valm, booltoint 

WITH power 2_th,divby2_th 
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ASSUMING 

Njpos: FORMULA N>0 

THEORY 

word: TYPE 

k,i,ii,m,v,n: VAR int 
w,wl,w2; VAR word 
b; VAR bool 
newword: word 

assign; function[int, bool, word -> word] 
bit: function[ int, word -> bool] 

bitassign; AXIOM (i >= 0 and i < N) IMPLIES 

bit(i,assign(k,b,w) ) = 

( IF k - i THEN b ELSE bit(i,w) END ) 


raw: function[int -> word] 
val; fvinction[word -> int] 


rawm; fianction] int,int,int -> word] 
rawm_def: AXIOM rawm(v,m,n) = 

IF m = 0 THEN newword 
ELSE 

assign(n-m,BMOD2(v) ,rawm(DIVBY2(v) ,m-l,n) ) 

END 

raw_def; AXIOM mw(ii) = rawm(ii,N,N) 

bool_to_int: function] bool -> int] = 

(LAMBDA b -> int; IF b THEN 1 ELSE 0 END ) 

valm: function[word,int,int -> int] 
valrajdef: AXIOM valm(w,m,n) = IF m = 0 THEN 0 

ELSE 2*valm(w,m-l,n) + bool_to_int(bit(n-m,w) ) 
END 

val_def; AXIOM val(w) = valm(w,N,N) 

(* Big Theoreras *) 

val_mw_thm: THEOREM ( ii >= 0 AND ii < power2(N) ) 

IMPLIES val(mw(ii)) = ii 

val_range_thm: THEOREM val(w) >= 0 and val(w) < power2(N) 

val_bits_thm: THEOREM val(wl) = val(w2) IMPLIES 

(FORALL m: m>=0 AND m<N IMPLIES bit(in,wl )=bit(m,w2 ) ) 


END words 

The proofs of the theorems are listed in ;^pendix C. 
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FORMAL PWX»FS 


In this section a brief overview is given of the formal proofs performed using 
the EHDM theorem prover. The automatic theorem prover is used to guarantee 
that no errors have been made in the proofs themselves. 

Introduction to Proving in EHDM 

Proving is accoin>lished in EHDM by reducing the problem to the decidable 
domain of the theorem prover by citing all premises which the theorem depends 
upon and "instantiating" the variables of the theorem and premises. To 
illustrate this process, the cnt_0 proof will be examined. From the informal 
proof (see section entitled "INFORMAL PROOFS") we can see that the theorem 
follows frc»n NEJCT ax, FETCH ax, stbl, and make triple ax. The first step to 
proving the theorem is to list these premises. Next, the variable names in the 
premises must be "matched". This is accon^lished by "instantiating" (i.e. 
substituting) the variables in the premises with the same names as in the 
conclusion. The first premise used was NEXT_ax. NEXT_ax has three variables 
which must be "instantiated", namely maj, loadin, and func.’ The cntO 
formula calls the "NEXT" function with arguments "state", "loadin", and "func". 
Therefore, these are the values that must be assigned to the "NEXT ax" 
variables. This is done as follows; 

maj <- state^C, 
loadin <- loadin@C, 
func <- func@C 

The §C is used to indicate that the names come from the conclusion. (Names 
from premise one are designated by 0Pl, premise two by @P2 and so forth.) This 
matching process is done for all of the premises. The formal proof is; 


1 Substitutable variablas ara those that are universally quantified in the 
premises and existentially quantified in the conclusion. 
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p_cnt_0: PROVE cnt_0 FROM NEXT_ax{n\aj <- state@C, 

loadin <- loadingc, 
func <- func@C} , 

FETCH_ax{ count <- cnt(state§C) , 

double <- doublet ( stategC ) , 
loadin <- loadin^C, 
func <- func§C} , 

make_triple_ax{x <- cnt(state@C) , 

y <- BOOLF(bit2(O,func0C) ) , 
z <- fetchnode}, 
stbl{st <- stategC} 

Proof statements are included in the specification module in the last section 
vrtiich follows the reserved word "PROOF". The module is subjected to the 
theorem prover. The prove r attempts to prove each of the theorems referenced 
by a "PROVE" statement. The prover returns either "PROVED" or "UNPROVED". A 
proof trace is supplied by the theorem prover to aid the user in accomplishing 
a proof. 

Scfflie suggestions for inproving the EHDM Theorem Prover are given in 
^4>pendix B. 


Status of Proofs 


All of the proofs between the Top Level and the Major-State Level and 
Between the Major-state level and the Block Model level have been conpleted. A 
complete listing of the specifications 2 uid proofs are given in Appendix C. The 
status reports generated by EHDM are listed below: 

Proofs Between Top-level and Major-state level 

The proof chain is complete 

The following formulas were justified only as specific instances 
words [ &1 } .Npos 


The axicans and assunptions at the base are: 

cnt6_fa.INC2 ax* 
cnt6_fa.NEXTl_ax* 
cntSfa.INCl ax* 
cn t6_f a . NEXTlax * 
cnt6_fa.LQAD auc* 
cnt6 fa.NEXTl ax* 

tripTesI&l, &3] .make_triple_ax 


41 



cnt6_f a . FETCH_ax * 

cnt6_fa.NEXT0_ax‘ 

divby2_th.alt ax* 

divby2_th . kilT_euc* 

words [ &1 ] . valposax* 

words [ si j . twen_zoc* 

words! Si ] .mw def 

words! Si 1 .weTr_ax* 

divby2 th.tftin_ax* 

int in9uctions.int_induct_by_2 

di v%2_th . i f unax* 

words! Si 1 .qfijnax* 

words ! Si j . vfun_eoc* 

di vby2_th . DIV_ax 

di vl:Y2_th . BMCX)2_ax 

di vty2_th . M0D2_ax 

words! Si 1 .bitassign 

words! Si ] .mwm def 

words! Si ] .zfun ax* 

words! si ] . val_i3ef 

int inductions. intinduction 

wor3s! Si ] . valradef 

words! si J . rang_ax* 

power2_th . power2_euc 

* denotes the axioms which are merely name definitions (see section entitled 

"Definitional Axioms" in APPENDIX B. The critical axioms are 

triples!sl, s2, s3] .maketripleax 

words! si 1 .rawdef 

int inductions. int_induct_by_2 

di vEiy2_th . DIV_cix 

di vby2_th . BMC®2_ax 

di vby2_th . M0D2_ax 

words! si 1 .bitassign 

words! si] .inwm_def 

words! si) .val_def 

int inductions. int_induction 

wor3s! sl 1 . valmjdef 

power2_th . power2_ax 

Proofs Between Major-state level and Block-model level 


The proof chain is conplete 


The axicxns and assunptions at the base are: 

cnt6_f a . LQAD_ax* 
cnteblk .NEXTNODE2a3_ax* 
cnt6 fa.lNC2_ax* 
cnte^jlk . NEXTNODElax* 
cnt6 fa.INCl_ax* 
cnteHblk .NEXTNODEOax* 
cnt6 fa. FETCH ax* 
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cnt6_blk .MULTIPLEX_ax* 
cnt6_blk . INCLOGICax* 

* denotes the axioms v^ich are merely neune definitions (see section entitled 
"Definitional Axioms" in APPEM)IX B. 

Status of modules in context 


cnt6_cir: Parsed emd Typechecked 
signal: Parsed and Typechecked 
cnt6: Parsed and Typechecked 

cnt6 fa: Parsed and Typechecked, 31 proofs, 31 attempted, 31 succeeded 
ine(^cases: Parsed and Typechecked, 5 proofs, 5 attempted, 5 succeeded 
divby2_th: Parsed and Typechecked, 29 proofs, 29 attempted, 29 succeeded 
power2 th: Parsed and Typechecked, 7 proofs, 7 atteii 5 >ted, 7 succeeded 
words prf: Parsed 

cnt6_Blk: Parsed and Typechecked, 14 proofs, 14 attempted, 14 succeeded 
bsignal: Parsed and Typechecked 

words; Parsed and Typechecked, 58 proofs, 58 attempted, 58 succeeded 
int_inductions ; Parsed and Typechecked 
triples: Parsed and Typechecked 


CONCLUSIONS 


■flie RSRE methodology appears to be a practical approach to designing and 
verifying digital hardware. No major problems have been discovered in the 
methodology thus far. The work of this paper has focused on the hierarchical 
specification method. Future work will concentrate on the method of 
intelligent exhaustion. 

There was one property vdiich should be demonstrated about sequential 
circuits that was not explicitly dealt with in the RSRE papers — "readiness" 
of the finite state automata. The "readiness" property refers to whether the 
finite automata always returns to the fetch state after executing a function. 
Although RSRE's hand proofs clearly established this property, the property was 
not specified formally. 

The RSRE report did not formalize in LCF-LSM the timing behavior of the 
counter. Although some timing diagrams were provided emd some informal remarks 
were made about "hoisting exiting conditions", it is not clear how this 
material could be formalized. Although omitting timing details from the LCF- 
LSM specifications significantly reduces the complexity of the specifications, 
it raises the possibility that certain design errors could go undetected. For 
exaiqple, if the state variables were not stored in latches (e.g., connected via 
direct feedback line), the automatic theorem prover would not report this 
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deficiency. This appears to be an inplicit assun^tion of the overall 
methodology vdiich should be more carefully documented.® 

The EHDM system was found to be fully capable of supporting the RSRE 
methodology for hardware verification. Two features of the EHDM system were 
found to be especially useful — generic modules and the MAPPING constructs. 
The generic module capability provided a convenient method of defining the 
theory of words. Ihis stands in contrast to LCF_LSM vrfiere the "almost 
identical" text must be repeated v^ich define "val2", "val6", "val32", etc. 
The MAPPING constructs enedsled the user to formally connect the levels of the 
system hierarchy. This was only accomplished informally in the RSRE report. 
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APPENDIX A 


THEORY OF GENERAL WORDS 


In this section, a general theory of words is developed. This theory 
defines the concept of a N-bit word v^ere each bit can take values from a more 
general domain than the booleans. Although the theory developed does not 
depend upon the specific domain, the following values are of typical interest: 

t — true 
f — false 
X — don't care 
q — unaltered memory element 
z — tristate inpedance high 
i — indeterminate 


The following specification defines these values 


signalval: TYPE 
t,f,x,q,z,i: signalval 

unique: AXICX1 t "= f and t '”= x and t ~= q and t ~= z and t i and 

f ~= X and f ~= q and f ~= z and f ~= i and 

X ~= q and x ~= z euid x ~= i and 

q ~= z and q ~= i and 

z ~= i and 

ss: VAR signalval 

exhaust: AXIOM x=torx=forx=xorx=qorx=zorx=i 

Since EHDN has no method of defining a new domain of values automatically, the 
user must manually define its value and explicitly state the property of 
uniqueness and conpleteness . 

The properties of words over the domain of "signalval" are defined in the 
same manner as words defined over booleans. 


BitAssign: AXIOM (i < N and i >-= 0) IMPLIES 

( IF k = i THEN Bit(i,Assign(k,s,gw) )- s 
ELSE Bit( i ,Assign(k,s,gw) )= Bit(i,gw) END ) 

This is essentially the same as "bitassign" in the boolecin words theory. The 
function names are capitalized to distinguish them from the boolean word 
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functions since EHDM does not support overloading of function names. The 
axiom defines the effect of retrieving a bit from a word which has been 
modified by assigning a new value to one of its bits. If the bit being 
retrieved is the same as the one just assigned, the new value is retrieved. 
Otherwise, the value retrieved is the same as before the assignment. It 
should be noted that these functions are not defined in a "constructional" 
manner, that is, they have not been defined separately in terms of previously 
defined primitives. Their properties have been defined axiomatically in terms 
of each other. Such axicans must be carefully scrutinized to insure that 
inconsistencies are not introduced into the specification. 

Next, the functions "val" and "raw" are defined in the general theory of 
words. The "val" and "raw" functions "interpret" the N bits of boolean values 
as an integer. Consecjuently they are only defined for general words that 
contain only values of "t" and "f". They must be defined as partial functions. 
This is accomplished by defining a function vrtiich embeds the boolean words in 
the set of general words: 

embed: function! word -> gword] 

embed ax; AXICM (i < N and i >= 0) IMPLIES 

Bit( i ,embed(w) ) » bool_to_signal(bit(i,w) ) 

There are now two distinct types — word and gword — vAiich represent boolean 
words and general words respectively. The function bool_to_signal associates 
the boolean values with "t" and "f" of "signalval": 

bool to_signal: function! bool -> signalval] = 

~ “(LAMBDA bb -> signalval: 

IF bb THEN t 
ELSE f 
END) 

Thus, the function "embed" maps boolean words to the corresponding general word 
which consists of only "t" and "f" values. Using the "embed" fxmction, the 
partial functions "Val" and "Mw" can be defined: 

Val: fxmction! gword -> int] 

Val_ax; AXKM1 VaKembed(w) ) = val(w) 

Mw; function! int -> gword] 

Mw ax; AXIC»1 Mw(ii) = embed(mw(ii) ) 
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easily established in the theory of 


The theorems of the "words" module are 
general words. For example; 


Val Mw thm: THEOREM ( ii >=" 0 AND ii < power2(N) 
- - IMPLIES Val(Mw(ii)) = n 


) 


Proof: Val(Mw(ii)) = Val(embed(raw(ii) ) 

= val(mw(ii) 

= ii 

The last step follows Eton, the "val^nM^thm- theorem of "words", the boolean 
word theory. 


The full specification of "gwords" follows: 
gwords; MCttXJLE[N: int] 

USING words, power 2 _th, signal, divby2_th 

E30>0RTING gword, newgword. Valuable, Assign, Bit 

WITH power 2 _th, signal, divby2_th 


assuming 

N_pos: FORMULA N>0 
THEORY 

(* 


— abbreviations for words items 


word: TYPE is word[N] 

assign: fonctiontint, bool, word -> ™rd) is assign[Nl 
bit: function[ int, word -> bool] is bit( ] 
mw; function] int -> word] is in^lN 
val: function] word -> mt] is val]N] 


(* — 


Theory needed to define words functions - - 


gword; TYPE 
newgword: gword 
k,i,ii; VAR int 
w; VAR word 
gw, gw2; VAR gword 
s: VAR signal val 
a,b: VAR bool 

Assign: function] int, signalval, ^ord -> gword] 
Bit; f motion] int, gword -> signalval] 


Bit_Assi9h_aw: «CIO« <i < « s 

ELSE Bit(i,Assign(kfS,gw))= Bit(i,gw) END ) 


— *) 


*) 
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accessnew: AXIOM Bit(k,newgword) = x 


Concepts related to interpretation of words as integers 

embed: function! word -> gword] 
embedax: AXIOM (i < n and i >= O) IMPLIES 

Bit(i,embed(w)) » bool_to_signal(bit(i,w) ) 

Val: function! gword -> int] 

Val_ax: axiom Val { embed ( w) ) = val(w) 


Mw: function! int — > gword] 

Mw_ax: AXIOM Mw(ii) = embed (mw( ii ) ) 


Valuable: function! gword -> bool] 

Va uable_def: AXIOM Valuable (gw2) «■ (EXISTS w: 

Val_Mw_thm: AXIOM ( ii >» 0 AND ii < power2(N) 

IMPLIES Val(Mw(ii)) » ii 


gw2 =■ embed(w) ) 
) 


Bit_bit_thm: THEOREM (i < N and i >= 0) IMPLIES 

bit(i,w) . signal_to_bool(Bit(i,embed(w))) 

Assign_assign_thm: THEOREM (i < N and i >= O) IMPLIES 

embed( assign! i,b,w) ) » ^sign(i,bool_to_signal(b) ,embed(w) ) 

Valuable_mw: IHEOREM Valuable ( embed ( mw{ ii ) ) ) 

Valuable_thm: ITiEOREM Valuable(gw) = «i>=0) and (i < n) IMPLIES 

(Bit(i,gw) = t or Bit(i,gw) - f)) 
Val_range_thm: AXIOM Valuable (gw) IMPLIES 

Val(gw) >= 0 and Val(gw) < power2(N) 


PROOF 


P— PROVE Val_Mw_thm FROM Mw ax, 

VaT_ax(w <- mw(ii)], 
val_raw_thm!N] 

P_val_range_thm: prove Val_cange_thm(gw <- aa4>ed(wep3)) from 

Valuable_def !gw2 <- embed(wBP 3 )) 
Val_ax(w <- w@P3], 
valrangethm! N ] 

p_Valuable_mw: PROVE Valuablemw FROM Valuable def 

p_Bit_bit_thm: PROVE Bitbitthm FROM embed ax, 

signaT_to_bool ax 

p_Assign_assign_thm: PROVE Assign_assign_thm FROM 

Bit_Assign_ax, 

EM) gwords embed_ax{w <- assign! i,b,w)} 
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signal: MCXXJLE 


EXPORTING signal val, t, f, x, (* EQsig, AND3, OR3, NOT3, EQUIV *) 
booltosignal, signal tobool, bool toint, BOOLF 
(* , int_to_signal , sTgnal_to_int *T 


THEORY 

signalval: TYPE 
t,f,x: signalval 
a,b,c: VAR signalval 
bb; VAR bool 
i; VAR int 

unique: AXIOM (t f) and (t ~= x) and (f x) 

exhaust: AXIOM a-t OR a=f OR a=x 

signal_to_bool : function [signalval -> bool] 
signal_to_bool_ax: AXIOM signal_to bool(t) - true and 

signal_to_bool(7) - false 

bool_to_signal : function! bool -> signalval] - 
(LAMBDA ti) -> signalval: 

IF bb THEN t 
ELSE f 
END) 

BOOLF: function! signalval -> bool] is signal_to_bool 

bool_to_int: function! bool -> int] = 

(LAMBDA bb -> int: IF bb THEN 1 ELSE 0 END ) 


END signal 


APPETJDIX B 


SUGGESTIWS FOR IMPROVING EMDM 


In the following subsections, several suggestions are made for in?>roving the 
EHDM verification system. 

Definition of the Values of a Type 

Frequently it is necessary to define a type v^ich takes on a finite number 
of distinct values. This is accomplished in LCF-LSM as follows: 

type signalval ■ NEW( t | f | x) 

In EHDM this must be done via a ladsorious detailed specification of all of the 
properties needed: 

signalval: TYPE 
t,f,x: signalval 
s: VftR signalval 

unique: AXICM1 t f and t x and f x 

exhaust: AXIOM s-tors-fors=x 


Definitional Axioms 

There is a need for another kind of "axiom" in EHDM. In order to facilitate 
the proof process it is often necessary to rewrite LAMBDA definitions as 
axioms. Instead of 

F: function! int -> int] *= (LAMBDA x -> int: x*x) 
one writes: 

F; function! int -> int] 

F ax; AXIOI F(x) - x*x 
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Thus, the theorem prover only expands the definition of F when specifically 
stated as a premise. This is desirable when the definition is complicated and 
a proof does not depend upon the particulars of the definition. However, there 
is a unhappy side-effect of this procedure. There is now an additional axiom 
which appears at the base of the theory. (See section entitled "Status of 
Proofs".) In other words, when one performs a proof analysis, the big theorems 
you have proved are reported to depend upon a set of axioms. This set now 
includes all of these "axioms" which are merely definitions of temporary 

"names". Hie big result in no sense depends upon these "names". They were 

used as a convenience. If one would rewrite the module using LAMBDA 
definitions, then the same big theorems could be proved and the set of axioms 
it depended upon would not include these name definitions. Of course, the 
theorem prover may take weeks rather than minutes to prove the results. 

Perhaps EHDM could be extended with a new construct, say DEFINITION: 

F-ax: DEFINITION f(x) = x*x 


which roust be of a particular restricted form. 

in the user's Manual it states " EHDM currently requires a mapping for every 
uninterpreted type and every constant of the module being mapped." If one 
defines a function name to simplify the statement of a big theorem, one should 
not have to have to map this "temporary" function. For example, suppose the 

big theorem is: 


big theorem: AXIOM x*x + x = f(x*x+x)g(x) 

suppose that f and g ate tnapped into some concrete form in a mapping module 
and big-theorem is proved there. What if for convenience the above axiom was 

written as: 

h: function! int -> int] 
h_ax: AXIOM h(x) » x*x + x 
big_theorem: AXIOM h(x) - f(h(x))g(x) 

would it be necessary to specifically "map" h down to the next level? Would 
"h ax" have to be proved as a theorem in the mapping module? It is not cleat 
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hierarchical 

levef r « hheore.. in the lower 

could Z “ terminology nightmare. It would be nice if a new keyword 

could be invented which conveyed this concept. 


Iniprovement to Proof Instantiator 


Tfie Proof Instantiator "overlooks" 
Consider the function COUWTLOGIC (from 


some very obvious substitutions, 
module cnt6_blk) listed below in full; 


OOWmOGIC: function[statevector,word6,word2 -> statevector] . 

(LAMBDA stv, loadin, func -> statevector: 
make_triple( MULTIPlex( INCL0GIC( count ( stv) , 

INCCON( node ( stv ) ) ), 

loadin, 

MPLXCON( node ( stv ) ) ) , 

BOOLF ( bi t2 ( 0 , func ) ) , 

NEXTOODE(node(stv) ,func,double(stv) ) ) 


■mere is an axiom NEXraODE0_ax which will be cited as a premise 

NEXINODEO_ax: AXIOM val2(nd) = 0 IMPLIES 
NEXTOODE(nd,func,dbl) = 

IF val2{func) = 0 THEN fetchnode 
ELSIF val2(func) = 1 THEN loadnode 
ELSE inclnode 
END 

The following lemma is to be proved: 
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claa: LEMMA val2(node(stv) ) = 0 and val2(func) = 0 IMPLIES 
CXXJNTLOGIC(stv,loadin,func) = 

make_triple( MULTIPLEX(INCL0GIC( count (stv) , 

INCCON(node( stv) ) ) , 

loadin, 

MPLXCON( node (stv)) ), 
BOOLF(bit2(0,func)), 
f etchnode ) 

The following proof statement does the job; 

p_claa: PROVE claa FROM NEXTOODE0_ax{nd <- node(stv), 

func <- fimc, 
dbl <- double (stv) } 

But the Instantiator will not find the instantiations! But, starting with the 
conclusion it is obvious that NEXINODE is called: 


NEXTOODE ( node ( stv ) , func , doiable ( stv ) ) ) 
The only premise stated NEXTNODEO is of the form; 


NEXTNODE ( nd , func , dbl ) = 

The required matchings are obvious, and would seem to be easily 
autcmiated! 
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APPENDIX C 


FULL LISTING OF SPECIFICATIWS INCLUDING PROOFS 


cnt6 : MODULE 
USING words 
THEORY 

(* define abbreviations for 'words' types and functions *) 

word6: TYPE is word[6] 
word2; TYPE is word[2] 

val2: function(word2 -> int] is val[2| 
val6: function[word6 — > int] is val[6J 
ntw6: function] int -> word6] is inw[6] 

define TYPE to represent state of machine 


states; TYPE 
(* 


- define logic variables 


- *) 


state: VAR states 
loadin,w; VAR word6 
func : VAR word2 

(* define properties of 6-bit counter 


cnt: function] states -> word6] 

exec cnt: function] states, word6,word2 -> 

ready: function] states -> bool] 


states ] 


addl mod64: function] word6 -> word6] =- 
“ ( LAMBDA w -> word6: 

IF val6(w) = 63 THEN mw6(0) 
ELSE mw6(val6(w)+l) 

END ) 


ready_ax: AXIOM ready(state) IMPLIES ready] exec_cnt( state, loadin, func) ) 

counter ax: AXIOM ready] state) IMPLIES cnt]exec cnt] state, loadin, func) ) * 
- IF val2]func) - 0 THEN cnt]state) 

ELSIF val2]func) = 1 THEN loadin 
ELSIF val2]func) = 2 THEN 
addl_mod64 ] cnt ] state ) ) 

else , ^ 

addl_mod64 ] addl_mod64 ] cnt] state ) ) ) 

RMH 


END cnt6 
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words: MODULE[N: int] 

USING power2_th,divby2_th 

exporting word, newword, bit, assign, val, raw, rawm, valm, booltoint 
WITH power2_th,divby2_th 


ASSUMING 

N_pos: FORMULA N>0 


THEORY 

word: TYPE 


k,i,ii,m,v,n,h, jj,y; VAR int 
w,wl,w2: VAR word 
a,b: VAR bool 
newword; word 

assign; functioni int, bool, word -> word] 
bit; function[int, word -> bool) 


bitassign: AXIOM (i >- 0 and i < N) IMPLIES 

bit(i,assign(k,b,w) ) = . v \ 

( IF k - i THEN b ELSE blt(l,w) END ) 


mw; function[int -> word] 
val: function[word -> int] 

niwra: function[ int,int, int — > word] 
mwm def: AXICOT rawm(v,m,n) = 

“ IF m = 0 THEN newword 

else ^ 1 X V 

assign(n-m,BM0D2(v) ,mwra(DIVBY2(v) ,in-l,n) ) 

END 


itiw def; AXIOM mw(ii) = mwm(ii,N,N) 


bool to int: function [bool -> int] - 
- “ (LAMBDA b -> int: IF b 


THEN 1 ELSE 


0 


END ) 


valm: function[word,int,int 
valm def: AXIOM valm(w,m,n) 


-> int] 

= IF m = 0 THEN 0 

ELSE 2*valm(w,m-l,n) 


END 


+ bool to int(bit(n-m,w) ) 


val def: AXIOM val(w) = valm(w,N,N) 

Big Theorems 

val raw thm; THEOREM ( ii >= 0 AND ii < powr2(N) ) 

- “ IMPLIES val(mw(ii)) - ii 

val rangethm: THEOREM val(w) >» 0 and val(w) < power2(N) 
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val_bits_thm: THEOREM val(wl) = val(w2) IMPLIES 

(FORALL m: m>-0 AND m<N IMPLIES bit(m,wl)-bit(ra,w2) ) 


(* Definition Axioms That Should Be in Proof Section *) 

zfun: function! int -> bool] 

axiom zfun(n) = ( (n > 0 AND n <= N AND ii >= 0 AND ii < power2(n) ) 

IMPLIES valm(rawm( ii ,n,n) ,n,n) » ii ) 

vfun: function! int -> bool] 

vfun ax: AXIOM vf\in(m) - ( (m<n and m>-0 and n<-N ) IMPLIES 

(valm(w,m,n) = valm( assign! 0,b,w) ,m,n) ) ) 

qfun: function! int -> bool] 
qfm_ax: AXIOM qfun(m) - 

( (m+l>0 and ii>=0 and m<n and ii < power2(m) and n<»N) IMPLIES 
valm( mwm(ii,m,n) ,m,n) = valm( mwm(ii,m,n-l) ,m,n-l) ) 

twen: function !int->bool] 

twen_ax: AXIOM twen(k) - (k>-0 AND k<N AND valm(wl,N,N) - valm(w2,N,N) 

IMPLIES valm(wl,N-k,N)-valm(w2,N-k,N)) 

weir: function! int -> bool] 
weir_ax: AXICM weir(m) = ( 

(m<n and k>0 and m>=0 and n<-N) IMPLIES 

(valm(w,m,n) = valm(assign(n-m-k,b,w) ,m,n) ) ) 

valpos: function! int -> bool] 

valpos_ax: AXIOM valpos (m) = (m>-0 IMPLIES valm(w,m,n) >=0) 
build: function! int->bool] 

build_ax: AXIW build! k) = !k>»*0 AND ! FORALL m: m>=N-k AND m<N IMPLIES 
bit!m,wl)-bit!ra,w2) ) IMPLIES valm!wl,k,N) = valm!w2,k,N) ) 

copy_m_bits: function! int, word, word -> word] 
copy_m_bits ax: AXIC»1 copy m_bits(m,wl,w2) = 

T IF m-0 THEN wl 

ELSE assign(N-m,bit!N-m,wl) ,copy_m_bits!m-l,wl,w2) ) END) 
gnu: function! int -> bool] 

gnu_ax: AXIOM gnu!k) = !k>=0 AND k<m AND k+N-m>-0 IMPLIES 

bit!k+N-m,copy_m_bits(m,wl,w2)) = bit!k+N-m,wl) ) 

rang: function! int -> bool] 

rang_ax: AXIOM rang(m) = (m>=0 and m <= N IMPLIES valm!w,m,N)>-0 AND 

valm(w,m,N) < power2!m) ) 


PROOF 

(* val_mw_thm THEOREM 

valjnwthm: AXIOM ! ii >- 0 AND ii < power2!N) ) IMPLIES val!mw!ii)) - ii *) 
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inv eixiom: LEMMA ( n > 0 AND n <= N AND ii >* 0 AND ii < power2(n) ) 
■" IMPLIES valm{ittwm(ii,n,n) ,n,n) = ii 


(*zfun: function! int -> bool] .. . . 

zfun ax: AXIOM zfun(n) = ( (n > 0 AND n <- N AND ii >= 0 ^ ii < power2(n ) 
” IMPLIES valn»(n«wm(ii,n,n) ,n,n) = ii ) 


LO: LEMMA zfun(O) 

Ll; LEMMA zfun(l) 

Lla: LEMMA ( ii >* 0 AND ii < power2(l) ) IMPLIES MOD2(ii) = ii 

Lla_a: LEMMA MOD2(0) = 0 
Lla_b: LEMMA MO)2(l) = 1 

l2; lemma zfun(m) IMPLIES zfun(nH-l) 

L2a: LEMMA (m>=0 and ii>=0) IMPLIES valm(niwm( ii ,nH-l,m+l) ,in+l ,nv+-l ) - 
2*valm(assign(0,BMOD2(ii) , 

mwm(DlVBY2(ii),ni,nH-l) ) ,m,m+l)+ 
bool to int ( bit (0, assign! 0, BMOD2 ( ii ) , 

" ~ ntwin(DIVBY2(ii),m,in+l)))) 


L2b; LEMMA (m>»0 and rtH-K=N and ii>=0) IMPLIES 

valm( assign! 0, BMOD2(ii), mwm(DIVBY2(ii) ,m,nH-l) ) ,m,itH-l) = 
valm( mwm(DIVBY2(ii),m,m+l) ,m,m+l) 


(* 


vfun; function! int -> bool] Tm»r>TTE>e 

vfun ax: AXIOM vfun(m) = ( (ra<n and m>=0 and n<=N ) IMPLIES 

( valm(w,ni,n) = valin( assign! 0, b, w) , in, n 


)) ) 


*) 


b20: LEMMA vfun(O) 
b21: LEMMA vfun(l) 

b2m: LEMMA( vfun(m) IMPLIES vfun!m+l)) 
b2h: LEMMA (h>=0) IMPLIES vfun!h) 

L2c: lemma !m+l>0 and m+l<=N and ii>=0) IMPLIES 

valm!mwm(ii,nH-l,nH-l) ,nH-l,m+l) = . 

2*valm! ntwm!DIVBY2!ii),m,nH-l) ,m,nH-l) + MOD2!ii) 

L2d: LEMMA !iTH-l>0 cind ii>=0 and ii < power2!m+l) and m+l<“N) IMPLIES 

valm! mwm!DlVBY2!ii) ,m,m+l) ,m,m+l) - 

valm{ mwm!DIVBY2!ii),m,m) ,m,m) 


!* 


*) 


qfun: function! int -> bool] 
qfun ax: AXIOM qfun!m) = 

! !iih- 1>0 and ii>=>0 and m<n and 
valm( mwm! ii,m,n) ,m,n) 


ii < power2!m) and n<>“N) IMPLIES 
= valm! mwm! ii,m,n-l) ,m,n-l) ) 


d20: LEMMA qfun(O) 

d20 a: LEMMA valm!mwm!ii,0,n) ,0,n) * valm! mwm! ii, 0, n-1 ) ,0,n-l) 
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d2m: LEMMA (qfim(m) IMPLIES qfun(nH-l)) 

weir: function! int -> bool) 
weir_ax: AXIOM weir(ra) = ( 

(m<n and k>6 and m>=0 euid n<=N) IMPLIES 

(valm(w,m,n) = valm(assign(n-m-k,b,w) ,m,n) ) ) *) 

d2m_l: LEMMA weir(O) 

d2m_2; LEMMA weir(m) IMPLIES weir(itH-l) 

d2m_3: LEMMA h>=0 IMPLIES weir(h) 


d2m_4: LEMMA (m<n AND m>=0 AND n<«N) IMPLIES 

(valm(w,m,n) = valm(assign(n-m-l,b,w) ,m,n) ) 

d2m_5: LEMMA n - m - 1 > 0 IMPLIES n - m - 2 >* 0 
d2h: LEMMA (h>=0) IMPLIES qfun(h) 


L2e: LEMMA ^ ii>=0 and nv+l<-N and ii < power2(nH-l) ) 

IMPLIES valra(niwm(ii,nH-l,m+l),iiH-l,nH-l) = 

2*valm( mwm(DlVBY2(ii),m,m) ,m,m) + 

MOD2 ( i i ) 

L2h: LEMMA <“>"0 > 0 AND ii < power2(in+l ) ) IMPLIES 

(DIVBY2(ii) < power2(m)) 

L2i: LEMMA (m>0 AND 2 fun(m)) IMPLIES zfun(ra+l) 

L3: LEMMA (m>-0) IMPLIES zfun(m) 

{* PROVE Statements for Val mw thm 


PROVE val_mvsr_thm FROM inv_axiom{n <- n) , 

val def{w <- mwm(ii,N,N)}, 
mw_3ef , 

N_pos 

pinv: PROVE invaxiom FROM L3{m <- n}, 

zfun ax, 

val 3ef{w <- mwm(ii,n,n)}, 
mw_3ef 

p_L0: PROVE LO FROM zfiin_ax{n <- 0} 

p_Ll: PROVE LI FROM zfun_ax{n <- 1}, 

valmdeffm <- 1, n <- 1, w <- mwra(ii0Pl,l,i) }, 
valm def{m <- 0, n <- 1, w <- mwm(ii§pl 1 i) } 
mwm_3ef{v <- ii@Pl, m <- 1, n <- 1) ' ' ' 

bitassignfi <- 0,k <- 0, 

b <- BMOD2(ii§Pl), 
w <- mwm(DIVBY2(iiePl),0,l)) . 
MOD2_ax{i <- ii@Pl), 

N_pos, Lla{ii <- ii@pl) 


-- *) 
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p_Lla: PROVE Lla FRCM Lla a,Lla_b, 

MODl_ax{i <- 0}, 

power2_ax{i<-l j , power 2_euc{i<-0 } , 
y_l{y<-ii} 

p_Llaa: PROVE Lla_a FROM BMOD2_ax {i <- 0}, 

MOD2_ax{i <- 0}, 

DlV_ax{i <- 0} 

p_Llab: PROVE Llab FROM BMOD2_ax {i <- 1} ,MOD2_ax{i<-l) , 

DIV_ax{i <- 1} 

p_L2: PROVE L2 FROM zfm_ax{n<-m} ,zfun_ax{n <- nH-1} ,Ll,L2i ,zfun_ax{n<-l} 

p_L2a; PROVE L2a FROM valm def{w <- mwm(ii,nH-l,m+l) , m <- m+1, n <- m+1), 

mwmjdef{v <- ii, m <- hh-I, n <- in+1}, 
bitassign{i <- 0, k <- 0, b <- BM(X)2(ii), 
w <- mwm(DIVBY2(ii),0,l)) , 

N_pOS 

p_L2b: PROVE L2b FROM b2h{h <- m} , 

vfun_ax{ra <- m, n <- ith- 1, b <- BM(X>2(ii), 
w <- mwm(DIVBY2( ii ) ) } 


p_b20: PROVE b20 FROM 
vfun_ax {m <- 0}, 
valm_def{m <- 0}, 

valm_def{m <- 0,w <- assign(0,b@pl,w)} 

p_b21: PROVE b21 FROM 
vfun_ax {m <- 1}, 
valm_def{m <- 1}, 

valm_def{m <- l,w <- assign(0,b@pl,w)} , 
valm_def{m <- 0), 

valm_def{m <- 0,w <- assign( 0,b@pl,w) } , 
bitassign(i <- (n@pl-l),k <- 0} 

p_b2m: PROVE b2m FROM 
vfun_ax , 

vfun_ax{m <- m+1}, 
valm_def{m <- itH-1}, 

valm_def{m <- nn-1, w <- assign(O,b0pl,w) } , 
bitassign{i <- n@pl-m-l, k<- 0} 

p_b2h: PROVE b2h FROM b20, 

b2m{m<-dl@p3} , 
int induction {p <- vfun, 
d2 <- h§C) 

p_L2c: PROVE L2c FROM L2a,L2b, 

bitassign{i <- 0, k <- 0,b <- BMM)2(ii), 
w <- rawm(DIVBY2(ii),m,nH-l)), 
MOD2_ax{i <- ii}, 

N_pos 
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p_L2d: PROVE L2d FROM d2h{h <- m} , 

qfun^ax{ii <- DIVBY2(ii§C) ,n<-nH-l} , 
L2h{ii<-ii@C},DIVBY2gO{ii<-ii§c} 

p_d20_a : PROVE d2 0_a FROM valm_def { w<- rawm( i i , 0 , n ) , m<-0 ) , 

valin def {w<- mwm( i i , 0 ,n-l ) ,m<-0 , n<-n-l } 

p_d20; PROVE d20 FROM power2 ax(i<-0}, 
qfun ax {m <- 0}, 
d20_a 

p_d2m_5: PROVE d2m_5 

p_d2m; PROVE d2m FROM 
qfunax, 

qfun_ax{m <- m+1}, 

valm_def{w<-inwm(ii§Pl,nH-l,nePl),m <- nn-l} 

valm def{w<-mwm(ii§Pl,nH-l,n@Pl-l),ni <- nH-l,n<-nePl-ll 

rawm_def{v<-ii§pl,m<-nH-l} , ^ 

L2h{ii<-ii@pl} ,DIVBY2gO{ii<-ii@pl} , 

d2m_4 { w<-mwm{ DIVBY2 ( i i @P1 ) , m, n ) , b<-BMOD2 ( i i 0P1 ) ) 

qfun ax{ii<-DIVBY2(ii@Pl)}, 

d2m_?{w<-mwm(DIVBY2( ii?Pl) ,m,n) ,b<-BMC®2(ii§Pl) 
n<-n@Pl-l}, 

bitassign{ i<-n@Pl-m-l , k<-n0Pl-m-l ,b<- BMC»2( ii0Pl ) 
w<- mwm(DlVBY2(ii@pl),m,n@Pl)}, 
bitassign{ i<-n@Pl-m-2,k<-n@Pl-m-2,b<- BMOD2(ii@pl) 
w<- mwm(DIVBY2(ii@Pl),m,n§Pl-l) }. 

d2ni_5 

p_d2m_l; PROVE d2m_l FROM weir_ax{m<-0} ,valm def {m<-0} , 
valmdef { w<-assign ( n-m-k§Pl , b@Pl , w ) , m<-0 } 


p_d2m_2: PROVE d2m_2 FROM weir_ax, 

valm def (w<-assign(n-m-l-k@Pl ,b@Pl ,w) , 

weir_ax{m<-nH-l,k<-k0Pl,b<-b0Pl) , 
valmdef {m<-irH-l } , 
wei rax { k<-k@Pl+l , b<-b§Pl } , 
bi tassign{ i<-n0Pl-m-l , 

k<-n@Pl-m-l-kpPl , b<-b§Pl } 

p_d2m_3: PROVE d2m_3 FROM d2m 1, 

d2my2{m<-dl§p3}, 
int_induction{p <- weir, 
d2 <- hec) 

p_d2m_4: PROVE d2m_4 FROM d2m_3{h<-m} ,weir_ax{m<-m§C,k<-l} 
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p_d2h: PROVE d2h FROM d20, 

d2m{m<-dl@p3) , 
int_induction{p <- qfun, 
d2 <- hec} 

p_L2e; PROVE L2e FROM L2c,L2d 

p_L2h: PROVE L2h FROM power2_ax{i <- itH-1}, 

DIVBY2x2 

p_L2i: PROVE L2i FROM zfun ax {n <- m + 1, ii <- power2(m@CS + 1)}, 

L2e Tii <- ii@Pl}, 

zfun_ax {n <- m, ii <- DIVBY2(ii@Pl)) , 
DIV_MOD thro, 

DIVBY2giy {ii <- ii@Pl}, 

L2h (ii <- ii@Pl} 


p_L3: PROVE L3 FROM LO, 

L2{m<-dl@p3} , 
int_induction{p <- zfun, 
d2 <- ro0C) , 
zfun_ax(n <- m+1), 
zfun_ax{n <- m} 


( * valbitsthro THEOREM 

val_bits_thm; THEOREM val(wl) = val(w2) IMPLIES 

(FORALL m: m>=0 AND m<N IMPLIES bit(in,wl )»bit(in,w2 ) ) *) 

Subwords: THEOREM val(wl) = val(w2) IMPLIES 

(FORALL m: 0<m AND m<=*N IMPLIES valro(wl ,m,N) = valro(w2,m,N) ) 

(* twen: function [ int->bool ] 

twen_ax: AXIC^l twen(k) = (k>=0 AND k<N AND valm(wl,N,N) = valm(w2,N,N) 

IMPLIES valm(wl,N-k,N)»valro(w2,N-k,N) ) *) 

twO: LEMMA twen(O) 

tvdc: LEMMA twen(k) IMPLIES twen(k+l) 
twh: LEMMA h>=0 IMPLIES twen(h) 

Tl: LEMMA m>0 AND valm( wl ,m,N) = valm(w2,ro,N) IMPLIES 

valm(wl,m-l,N) = valm(w2,m-l,N) 

Tlcorol: LEMMA m>0 AND valm(wl,m,N) •= valro(w2,m,N) IMPLIES 

booltoint ( bi t ( N-m, wl ) ) =bool_to_int ( bi t ( N-ro, w2 ) ) 

Vl: LEMMA m>0 IMPLIES DIVBY2(valm(w,m,N) )= valm(w,ro-l,N) 

(* valpos:function[ int -> bool] 

valpos_ax; axiom valpos(m) - (m>-0 IMPLIES valm(w,ro,n) >»0) *) 

valO: LEMMA valpos(O) 

valm_step: LEMMA valpos(m) IMPLIES valpos(rofl) 
valh: LEMMA h>-0 IMPLIES valpos(h) 
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valpos_result: LEMMA m>=0 IMPLIES valm(w,m,n)>=0 


Prcjof of val_bits_thm Itieorera 

P_val_bits_thm: PROVE val_bits_thm FROM Subvrords{m<-N-in§C) , 

Tlcorol {m<-N-m§C} 

p_Subwords: PROVE Subwords FROM tvdi{h<— N— ra@C} ,twen ax{k<— N— m^C} , 

val de f { w< -wl } , val de f { w< -w2 } 

PROVE valO FROM valm_def {m<— 0} ,valpos ax{in<-0} 

p valm: PROVE valm step FROM valm def {m<-m@c+l} , 

valO , valpos_ax{m<-m@C) , valpos_ax{m<-m0C+l ) 

p valh: PROVE valh FROM val0,valm step{m<-dl@P3} , 

intinductTon {p<-valpos , d2<-h§C} 

P_'^9^pos: PROVE valpos_result FROM valh{h<— m§C} ,valpos ax{m<— m§c} 

p_Vl: PROVE VI FRCM valm def {w<-w(ac,m<-m§C,n<-N} , 

valpos_result{m <- m-1, n<-N} , 
valm def (w<-w@C,m<-0,n<-N} , 

DlV_3oub{ii <- valm(w,m-l,N) } 

p_Tl: PROVE T1 FROM Vl {w<-wl@C} , Vl {w<-w2@C} 

p_Tlcorol: PROVE Tlcorol FROM Tl,valm def {w<-wl,n<-N} , 

valm_deT{w<-w2 , n<-N) 

p_tw0; PROVE twO FROM twen_ax{k<-0} 

p_twk: PROVE twk FRCOT twO,twen_ax,twen_ax{k<-k+l} ,Tl{m<-N-kJ 
p_tvdi: PROVE twh FROM twO, twk{k<-dl@P3} , int_induction{p<-twen,d2<-h0C) 


Bitsenuf THEOREM 

Bits_enuf: THEOREM (FORALL m: m>=0 AND m<N IMPLIES bit(m,wl )=bit(m w2)) 
IMPLIES val(wl)=val(w2) 


Build: LEMMA k>=0 AND (FORALL m; m>=N-k AND m<N IMPLIES 

bit(m,wl)-bit(m,w2) ) IMPLIES valm(wl,k,N) = valm(w2,k,N) 

(* build: function[ int->bool ] 

build_ax: AXICM1 build(k) = (k>=0 AND (FORALL m: m>»N-k AND m<N IMPLIES 
bit(m,wl)-bit(m,w2)) IMPLIES valm(wl,k,N) = valm(w2,k,N) ) *) 

bldO: LEMMA build(O) 

bldk: LEMMA build(k) IMPLIES build(k+l) 
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bldh: LEMMA h>*0 IMPLIES build(h) 


(* Proof of Bits_enuf Theorem *) 

D Bits: PROVE Bits enuf {m<-m@Pl} FROM Build(k<-N) ,val_def {w<-wl} , 

“ val_def {w<-w2} ,N_pos 

p Build: PROVE Build{m<-m@P2} FROM bldh{h<-k@C} ,build_ax{k<-k0C} 

p bldO: PROVE bldO FROM build ax{k<-0) ,valm_def {w<-wl@Pl,m<-0,n<-N} , 

valmdef {w<-w2@Pl ,m<-0 ,n<-N} 

p bldk: PROVE bldk bldO,build_ax,build_ax{k<-k@P2+l,m<-m@P2} , 

~ valm def {w<-wl@P2,m<-k§P2+l,n<-N} , 

valm“ def { w<-w2@P2 ,m<-keP2+l , n<-N) , 
bui l3_ax { k<-k@P2+l , m<-N-k§P2-l } 

p bldh: PROVE bldh FRC»1 bldO, bldk { k<-dl@P3 } , 

~ int induction{p<-build,d2<-h0C) 


(* 


Copy wordthm THEOREM 


*) 


(* copy m_bits: function; int, word, word -> word] 
copy~m_bits_ax: AXIOM copy_m_bits(m,wl,w2) = 

( IF m«*0 THEN w2 , v r»^T^\ 

ELSE assign(N-m,bit(N-m,wl),copy_m_bits(m-l,wl,w2) ) END) 


*) 


copy: function [word -> word] = 

(LAMBDA wl -> word: copy_m_bits(N,wl,newword) ) 

Copy word thm: THEOREM k>=0 AND k<N IMPLIES 

“ bit(k,copy(wl) ) = bit(k,wl) 

(* gnu: function] int -> bool] 

gnu ax: AXIOM gnu(k) = (k>=0 AND k<m AND k+N-m>=0 IMPLIES 

bit(k+N-m,copy_m_bits(m,wl,w2) ) = bit(k+N-m,wl ) ) ) 

gnuO: LEMMA gnu(O) 

gnuk: LEMMA gnu(k) IMPLIES gnu(k+l) 
gnuh: LEMMA h>=0 IMPLIES gnu(h) 

gnu lemma: LEMMA k>=0 AND k<m AND k+N-m>=0 IMPLIES 

~ bit(k+N-m,copy_m_bits(m,wl,w2) ) = bit(k+N-m,wl) 


(* Proof of Copy_word_thm 

p gnu leirana: PROVE gnu_lemma FROM gnuh{h<-k@C} ,gnu_ax 
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p_Copy_word_thm: PROVE Copy_word_thm FROM gnu_lemrna{m<-N, w2 <- newword) 

p_gnuO: PROVE gnuO FROM gnu_ax{k<-0} ,copy_in_bits ax, 

bitassign{i<-N-m0Pl, “ 

k<-N-m0Pl , b<-bi t ( N-m@Pl , wl@Pl ) , 

w<-copy_m_bits(m@Pl-l ,wl§Pl ,w2@Pl ) } 

p_gnuk: PROVE gnuk FROM gnuO,gnu ax,gnu_ax{k<-k+l) ,gnu ax{nK-in@P2-l} 

copy_m^bits_ax, - ’’ 

bitassTgn{ i<-k+l+N-m@P2 , k<-N-m0P2 , 
b<-bit(N-m@P2,wl@P2) , 
w<-copy_m_bi ts ( m@P2-l , wl@P2 , w2@P2 ) ) 

p_gnuh: PROVE gnuh FRCai ^uO,gnuk{k<-dl@P3} , 

i ntinduction { p<-gnu , d2<-hec } 


val_range_thm THEOREM 


val_range_thm: THEOREM val(w) >= 0 and val(w) < power2(N) 

(* rang: functionfint -> bool] 

rang_ax: AXIOM rang(m) = (ra>-0 and m <« n IMPLIES valm(w,m,N)>-0 AND 

valm(w,m,N) < power2(m) ) 

rangO: LEMMA rang(O) 


Irana: LEMMA m>-0 AND valm(w,m,N) < power2(m) IMPLIES 

2*valm(w,m,N) + bool_to_int(bit(N-m-l,w) ) < 2*power2(m) 

Iranb: LEMMA m>=0 and valm(w,ra,N) >=0 IMPLIES 

2*valm(w,m,N) + bool_to_int(bit(N-m-l,w) )>=0 

rangm: LEMMA rang(m) IMPLIES rang(m+l) 
rangh: LEMMA h>-0 IMPLIES rang(h) 

valmrange: THEOREM m>=0 and m<»N IMPLIES valm(w,ra,N)>.0 AND 

valm(w,m,N) < power2(m) 


~ Proof of Val_range thm 

p_val_range: PROVE valrangethm FROM valm range {m<-N} , 

valcfef,N_pos 


P_ran90: PROVE ranpO FROM rang_ax(«-o(,valm_def(w<-w«pi,m<-o,n<-Nl 

N_pos , powe r2_ax { i <-0 } 


p_lrana: PROVE Irana FROM N pos 
plranb: PROVE Iranb ~ 
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p rangm: PROVE rangm FROM rangO,rang_ax,rang_ax{m<-nH-l} , 

~ valm_def {w<-w®P2 ,m<-ni@C+l , n<-N } , 

powe r 2_ax { i <-m@C+l ) , 1 r ana , 1 ranb 

prangh: PROVE rangh FRCM rangO,rangm{m<-dl@P3) , 

int_induction{p<-rang,d2<-h0C} 

p valm range ; PROVE valm range FROM rangh { h<-mec } ,rang_ax 

END words 


power2_th: MODULE 

USING int_inductions 

EXPORTING power2 

THEORY 

x; VAR bool 
y,m,i,ii,h: VAR int 

power2: function[int -> int] 

power2_ax: AXIOM power2(i) = IF i=0 THEN 1 ELSE 2*power2( i-1 ) END 


pow_eg: THEOREM (y>=0) IMPLIES (power2(y) >= 0) 
pow_gr: THEOREM (y>=0) IMPLIES (power2(y+l) >= power2(y)) 
xpow: function[int -> bool] 
xpow_ax: AXIOM xpow(m) = (power2(m) >= 0) 
xpO: LEMMA xpow(O) 

xpm: LEMMA (xpow(m) IMPLIES xpow(m+l)) 
xph: LEMMA (FORALL h: (h>=0 IMPLIES xpow(h))) 

G_0: THEOREM y>=0 IMPLIES 2*y >= 0 
G_l: THEOREM y>=0 IMPLIES 2*y+l >= 0 
PROOF 

p_pow_eg: PROVE pow_eg FROM xpow ax{m<-y}, 

— xph{H<-y] 

p_pow_gr; PROVE pow_gr FROM 

G_0, poweg, power2_ax{i <- y+1) 
p_xp0: PROVE xpO FROM power2_ax{ i<“ 0} ,xpow_ax{m<-0} 
p_xpm: PROVE xpm FROM 
xpow_cix, 

xpow_ax{m<-m+l } , 
power2_ax{ i<-m+l} , 

G 0{y <- power2(ra)} 


65 



p_xph: PROVE xph FRCM^ xpO, 

xpHn{m<-dl0p3} , 
int_induction|p <— xpow, 
d2<- h@C} 

p_G0: PROVE G_0 
p_Gl; PROVE G_1 
END power 2_th 
divby2_th: MC®ULE 

USING int_inductions,power2_th, ineq_cases 

EXPORTING DIVBY2,MOD2,BMOD2 

THEORY 

b: VAR bool 
y,m,i,ii,h: VAR int 

DIVBY2; function! int -> int] 

DIV_ax: AXIOM DIVBY2(i) = IF i >= 2 THEN 1 + DIVBY2(i-2) 

ELSE IF i <- -2 THEN -DIVBY2(-i) 

ELSE 0 END END 

BMCX)2; function (int -> bool] 

BM(X)2_ax: AXIOM BMOD2(i) = (2*DIVBY2(i) ~= i) 

MOD2: function (int -> int] 

MOD2_ax; AXIOM MOD2(i) = IF BMOD2(i) THEN 1 ELSE 0 END 

BO: LEMMA BMOD2(0) = false 
Bl: LEMMA BMOD2(l) = true 

Balt: THEOREM h>*0 IMPLIES BMOD2(h) = NOT BMOD2(h+l) 
alt: function! int -> bool] 

alt^^rLE^^uJo)""^ = (ii >= 0 IMPLIES BMOD2(ii) = NOT BMOD2(ii+l)) 

altl: LEMMA alt(l) 

altm: LEMMA alt(m) IMPLIES alt(m+2) 

alth: LEMMA h>=0 IMPLIES alt(h) 


Even: LEMMA ii>=0 IMPLIES NOT BMOD2(2*ii) 

Even_MC®: LEMMA ii>-0 IMPLIES MOD2(2*ii) = 0 
kill: function] int -> bool] 

kill ax; AXIOi kill(ii) =( ii>=0 IMPLIES NOT BMOD2(2*ii)) 
killU: LEMMA kill (0) 
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kilim: LEMMA kill(m) IMPLIES kill(rtH-l) 
killh: LEMMA h>-0 IMPLIES kill(h) 

Odd_MCO: LEMMA ii>=0 IMPLIES MOD2(2*ii+l) = 1 

DIVBY2x2; LEMMA (ii >= 0) IMPLIES 2*DIVBY2(ii) <= ii 

ifun: function[int -> bool] 

ifun_ax: AXIOM ifun(ii) = (ii>=0 IMPLIES 2*DIVBY2(ii) <= ii) 

ifO: LEMMA ifiin(O) 
ifl: LEMMA ifunU) 

ifm: LEMMA ifun(m) IMPLIES ifun(m+2) 
ifh: LEMMA (h>= 0 ) IMPLIES ifun(h) 


DIVBY2x2pl: LEMMA (ii >= 0) IMPLIES 2*DIVBY2( ii )+l >* ii 
tfun: f unction [int -> bool] 

tfim_ax: AXIOM tfun(ii) = (ii>-0 IMPLIES 2*DIVBY2( ii )+l >- ii) 

tfO: LEMMA tfun(O) 
tfl: LEMMA tfun(l) 

tfm; LEMMA tfun(m) IMPLIES tfun(m+2) 
tfh: LEMMA (h>= 0 ) IMPLIES tfun(h) 


DIVMODthm: LEMMA ii>=0 IMPLIES 2*DIVBY2(ii) + MCX)2(ii) = ii 

Pre2f: LEMMA ii>=0 IMPLIES ( 2*DIVBY2( ii ) = ii OR 2*DIVBY2(ii) + 1 = ii) 


DIVBY2gO: LEMMA (ii >= 0) IMPLIES (DIVBY2(ii) >= 0) 

DIV_doub; LEMMA (ii >= 0 IMPLIES DIVBY2(2*ii) = ii) AND 
(ii >= 0 IMPLIES DIVBY2(2*ii+l) * ii) 


MOD0_0: LEMMA MOD2(0) = 0 
MC®1 1: LEMMA MOD2(l) = 1 


PROOF 

p_MOD0_0: PROVE MOD0_0 FROM BMOD2_ax {i <- 0], 

MOD2_ax{i <- 0], 

DIVaxji <- 0} 

p_MODl_l: PROVE MODll FROM BMOD2_ax {i <- 1 } , MOD2_ax { i <-l } , 

DIV ax{i <- 1} 


p_B0: PROVE BO FROM BMOD2_ax{i <- 0], DIV_ax{i<- 0} 
p_Bl: PROVE B1 FRCM BMOD2_ax(i <- 1], DIV_ax{i<- 1} 
p_Balt: PROVE Balt FROM alth(h<-h@C} ,alt_ax{ iK-hgC] 
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paltO; PROVE alto FROM alt_ax{ii<-0} 


paltl: PROVE altl FR(^ 9lt_ax{ii<-l} , bO,B1, 

BMOD2_ax{i<-2) ,BMOD2 ax{i<-l},DlV ax{i<-ll 
DI V_ax { i <-2 } , DI v_ax {I<-0 ) 


pal tin: 


PKOVE altm FROM alt «(ii<-m8cj,aU_axUi<-ii«C+2),BMOD2 axU<-m), 

BMOD2_ax { 1 <-nH-3y , DIVax { i <-nH-2 } , DIVax { i <-uh-3 ) 


palth: PROVE alth FROM altO,altl,altm{m<-dl@P4) , 

int_induct_by_2 {p<-alt ,d2<-h@C) 


p_Even: PROVE Even FROM killh{h<-ii@C} ,kill_ax{ii<-ii§c} 

p_Even_MOD: PROVE EvenMOD FROM Even{ii<-iiec) ,MOD2_ax{i<-2*(ii@c)} 

p_Odd_MOD; PROVE OddMOD FROM MOD2 ax{i<-2*ii@C+l} ,Balt{h<-2*ii§C} 

^ EvenTii<-ii0c} 

pDIVBY2x2: PROVE DIVBY2x2 FROM ifh{h<-ii},ifun ax 
pifO: PROVE ifO FROM ifun_ax{ ii<-0) , DIV ax{i<-01 

pifl: PROVE ifl FROM ifun ax{ii<-l}, div ax{i<-l} 

pifm: PROVE ifm^ ifun ax{ii<-m} , ifuH ax{ii<- (mf2) ) , 

DIV ax{i<- (nH-2)7 ~ 

pifh; PROVE ilh FROM ifO, ifl, ifm{m<-dl@P4) , 

int_induct_by_2 { p<-i fun, d2<-h§C) 


pDIVBY2x2pl: PROVE DIVBY2x2pl FROM tfh{h<-ii} ,tfun ax 
ptfO: PROVE tfO FROM tfun_ax{ ii<-0} , DIV ax{i7-0] 

ptfl: PROVE tfl FRC»1 tfun_ax{ ii<-l} , DIV ax {i <-11 

ptfm: PROVE tfm FROM tfun_ax{ii<-m) , tfun ax{ii<- (itH-2)) 

DlV_ax{i<- (nH-2)} ~ 

ptfh: PROVE tfh FROM tfO, tfl , tfm{m<-dl@P4} , 

int_induct_by_2{p<-tfun,d2<-h0C} 


p_DIVBY2gO: PROVE DIVBY2gO FROM DIVBY2x2pl 

p doub: PROVE DlV doub FROM Even_MOD{ iK-ii^C} , Odd MOD{ii<-ii§c] 

G_0{y<-ii@C}, G_l{y<-ii@c) , 
DIV_MOD_thm{ii<-2*ii@c) ,DlV_MCO_thm{ii<-2*ii@C+l} 

P_^^iy_MOD_thm: PROVE DIV_MOD_thm FROM Pre2f,MOD2 axfi<-iil 

BMOD2_ax{i<-ii} ~ 

p_J)re2f: PROVE Pre2f FROM DIVBY2x2 , DI VBY2x2pl , 

Y_l{y<-2*DIVBY2(ii) - ii + 1 } 

END divby2_th 
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cnt6_fa; MODULE 



This module provides a more detailed view of the 6-bit counter function 
.^t^deflned in the nBdule cnt6. ««se mcxJule defines the counter 
as a finite state automata with the following states. 

fetchnode inclnode inc2node loadnode 

The state transitions are performed by the function NEXT. 


-*) 


mapping cnt6 GOTO words, triples[word(6) ,bool,word[2] J ,bsignal 
create some abbreviations 


THEORY 
(* - 


word2: TYPE is word[2] 
word6; TYPE is word[6] 

raw2: functiontint -> word2] is mw(2] 

HIM6: function[int -> word6) is n«w(6] 

val2; function! word2 -> int] is val[2] 

val6: function[word6 -> int] is val[6] 

bit2: function! int, word2 -> signalval] is bit[2] 

statevector: TYPE is triple 

count: function! statevector -> word6] is 
double: function! statevector -> bool] is second 
node: function! statevector -> word2] is third 

BOOLF: function! signalval -> bool] is signal_to_bool 

define logic constants 

fetchnode: word2 = nrw2(0) 
inclnode: word2 = inw2(l) / 

inc2node: word2 = mw2(2) 

loadnode: word2 = inw2(3) 

\indef svt: statevector 


(’ 


define logic variables 


svt: VAR statevector 
ct, Idn, w: VAR word6 
fn: VAR word2 
dbl,b: VAR bool 


( 


define functions 


*) 


*) 


— *) 


*) 
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ADDI; function! word6 -> word6] == 

(lambda w -> word6: 

^val6(w) = 63 TOEN mw6(0) ELSE mw6( val6(w)+l ) 


11^1: function! word 6 , bool, words, wo rd2 -> statevectorl 

INCl_ax: AXIOM INCl(ct, dbl, Idn, fn) = ^^^^e'^ector J 
IF dbl THEN 

^ ^ ' B00LF( bi t2 ( 0 , f n ) ) , inc2node ) 

^itiake tr iple ( ADDI ( ct ) , BOOLF( bi t2 ( 0 , fn ) ) , fetchnode ) 


1^2; function!word6, bool, words, word2 -> statevectorl 

INC2_ax: AXIOM INC2(ct, dbl, Idn, fn) = ®’"®''®''®ctor] 

make_t r iple ( ADDl ( ct ) , BOOLF( bi t2 ( 0 , fn ) ) , fetchnode ) 
WAD; function! word6, bool, words, word2 -> statevectorl 

LQAD_ax: AXIOM LQAD(ct, dbl, Idn, fn) = ®^®''®ctor] 

make_tr iple ( Idn , BOOLF( bi t2 ( 0 , fn ) ) , fetchnode ) 

FE^; function!wordS, bool, words, word2 -> statevectorl 

FETCH_ax: AXIOM FETCH (ct, dbl, Idn, fn)- ] 

IF val2 (fn) - 0 THEN 

), fetchnode) 

ELS^^®-^ “Ple ( ct , BOOLF ( bi t2 ( 0 , f n ) ) , loadnode ) 

^make_tr iple ( ct , BOOLF( bi t2 ( 0 , fn) ) , inclnode ) 

N ^; function ! statevector, words, word2 -> statevector] 


NEXr_ax: AXIOM NEXT(svt,ldn,fn) = 

IF val2(node(svt) ) - 0 THEN 

p., c:t ( f ) , double ( svt ) , Idn , fn ) 

ELSIF val2 (node! svt) ) = 1 then 

INCK count (svt), double (svt), Idn fn) 

ELSIF val2( node (svt)) = 2 TOEN 

ELSIF val2 (node! svt) ) - 3 THEN 

LOAD! count ( svt ) , double ( svt ) , Idn , f n ) 
ELSE 

undef_svt 

END 


^) 


NEXrO_ax; AXICM val 2 (node! svt ) ) = 0 IMPLIES 

NEXT! svt, Idn, fn) = FETCH! count( svt ) ,double( svt) , Idn, fn) 

AXIOM val2 ( node ( svt ) ) = 1 IMPLIES 

NEXT! svt, Idn, fn) = INCI(count(svt),double(svt),ldn,fn) 
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NEXT2 ax: AXIOM val2(node(svt) ) = 2 IMPLIES 

NEXT(svt,ldn,fn) = lNC2(co;ant(svt) ,double(svt) ,ldn,fn) 

NEXT3 ax: AXIOM val2(node( svt) ) = 3 IMPLIES 

NEXT(svt,ldn,fn) = LOAD(coiant(svt) ,double(svt) ,ldn,fn) 


Finite automata: function! statevector,word6,word2 -> statevector] = 

“ (LAMBDA svt, Idn, fn -> statevector: 

IF val2(fn) = 0 THEN 
NEXT( svt, Idn, fn) 

ELSIF val2(fn) = 3 TEJEN 

NEXT(NEXT( NEXT(svt,ldn,fn) , ldn,fn ), 
ldn,fn ) 

ELSE 

NEXT( NEXT(svt,ldn,fn) , ldn,fn ) 

END ) 

(* Mapping to Top Level Spec in Module cnt6 *) 

cnt6. states: TYPE FROM statevector 

cnt6.cnt: function! statevector -> word6] is count 

cnt6.exec_cnt: function! statevector ,word6,word2 -> statevector] 
is Finite_automata 

cnt6. ready: function! statevector -> bool] = 

(LAMBDA svt -> bool: node(svt) = fetchnode ) 


LEMMAS *) 

St, state: VAR states 
loadin,ld: VAR word6 
func: VAR word2 
y,m: VAR int 

(* LEMMAS needed to prove counter_ax — ^ *) 


gl: LEMMA power2(2) = 4 

g2: LEMMA val2(fn) = 0 or val2(fn) = 1 or 
val2(fn) = 2 or val2(fn) = 3 

g2a: THEOREM (y >= 0 AND y < m) IMPLIES t(y >= 0 AND y < m-1) OR (y*m-l)) 
g3: LEMMA bit2(0,fn) = BM0D2( val2( fn) ) 

stbl: LEMMA ready ( St) IMPLIES val2(node(st) ) “ 0 

cnt 0: LEMMA ready (state) and val2(func) = 0 

~ IMPLIES cnt(exec_cnt(state,loadin,func) ) * cnt(state) 

AND ready ( exec_cnt ( state , loadin, func ) ) 
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cntl: LEMMA ready (state) and val2(func) - 1 

IMPLIES cnt (exec_cnt( state, loadin,func)) - loadin 
AND ready ( execcnt ( state , loadin, func ) ) 

cnt_2; LEMMA ready (state) and val2(func) - 2 

IMPLIES cnt(exec cnt( state, loadin, func ) ) » 
addl mod?4 ( cnt ( state ) ) 

AND r eadyTexec cnt ( state , loadin , func ) ) 


cnt_3: LEMMA ready (state) and val2(func) - 3 

IMPLIES cnt (exec cnt (state, loadin, func ) ) - 
addl mod?4 ( addl_mod64 ( cnt ( state ) ) ) 
AND readyTexeccnt ( state , loadin , func ) ) 


LEMMAS needed to prove cnt 1 


cla: LEMMA ready(st) and val2(fn) = 1 
IMPLIES exec_cnt(st,ld,fn) » 

NEXT( FErrCH(cnt(st),double(st),ld,fn), ld,fn ) 


clb: LEMMA val2(fn) - 1 IMPLIES 

NEXT( FETCH(cnt(st),double(st),ld,fn), ld,fn ) - 
LQAD( cnt (St), BOOLF(bit2(0,fn)), ld,fn) 


LEMMAS needed to prove cnt 2 


c2a: LEMMA ready(st) and val2(fn) » 2 IMPLIES 
exec_cnt(st,ld,fn) = 

NEXT( FTTrCH(cnt(st),double(st),ld,fn), ld,fn) 


c2b: LEMMA ready(st) emd val2(fn) = 2 IMPLIES 

NEXT( FETCH(cnt(st) ,double(st),ld,fn), ld,fn) - 

NEXT( ma)ce_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode), ld,fn) 


c2c: LEMMA ready (st) and val2(fn) = 2 IMPLIES 

?S?L"^l^®-^''"P^-^?"!'^®^^'®°°^^<‘'^^2(0,fn)),inclnode), ld,fn) 
INCl(cnt(roake triple(cnt( st) ,BOOLF(bit2(0,fn) ) ,inclnode) ) , 

double ( inaketr iple ( cnt ( st ) , BOOLF( bi t2 ( 0 , fn ) ) , inclnode ) ) , 


c2d: LEMMA ready(st) and val2(fn) » 2 IMPLIES 

INCl(cnt(make triple (cnt (st) ,BOOLF(bit2(0,fn)), inclnode) ) , 
double ( maket r i pie ( cnt ( st ) , BOOLF ( bi t2 ( 0 , f n ) ) , inclnode ) ) , 

INCl ( cnt ( st ) , BOOLF ( bi t2 ( 0 , f n ) ) , Id, fn ) 


c2e: LEMMA val2(fn) ■ 2 IMPLIES NOT BOOLF(bit2(0,fn) ) 
c2f: LEMMA ready(st) and val2(fn) - 2 IMPLIES 

INCl(cnt(st),BOOLF(bit2(0,fn)),ld,fn) - 
maketriple ( ADDl ( cnt ( st ) ) , BOOLF( bit2 ( 0 , fn ) ) , fetchnode ) 

(* LEMMAS needed to prove cnt 3 *) 
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c3a; LEMMA ready(st) and val2(fn) = 3 IMPLIES 
exec_cnt(st,ld,fn) = 

NEXT ( NEXT ( NEXT ( s t , Id , f n ) , Id , f n ) , Id , f n ) 

c3b: LEMMA ready(st) and val2(fn) - 3 IMPLIES 

NEXT(NEXT(NEXT(st,ld»fn),ld,fn),ld,fn) = 

NEXT ( NEXT ( FETCH (cnt( St) ,do\jble(st) ,ld, fn) ,ld,fn) ,ld,fn) 

c3c: LEMMA ready(st) and val2(fn)=3 IMPLIES 

NEXT(NEXT(FETCH(cnt(st) ,double( st) ,ld, fn) , Id, fn) , Id, fn) = 
NEXT(NEXT(malce_triple(cnt( St) , 

BCXDLF ( bi 1 2 ( 0 , f n ) ) , inclncxle ) , 
ld,fn),ld,fn) 

c3d: LEMMA ready(st) and val2(fn) = 3 IMPLIES 

NEXT ( NEXT (malte triple(cnt(st) ,BOOLF(bit2(0,fn) ) ,inclnode) , 
Td,fn) ,ld,fn)= 

NEXT( INCl(cnt(mal<e triple(cnt(st) , 

BCOLF(bit2(0,fn) ) ,inclnode) ) , 
double (make triple ( cnt ( st ) , 

BCXDLF(bit2(IT,fn) ), 
inclnode ) ) , 
ld,fn) ,ld,fn) 

c3e: LEMMA ready(st) and val2(fn) = 3 IMPLIES . , , vn 

NEXT(INC1( cnt (make triple(cnt(st) ,BCX)LF(bit2(0,fn) ), inclnode) ) , 
double ( make t r iple ( cnt ( st ) , BOOLF( bit2 ( 0 , f n) ) , inclnode ) ) , 

ld,fn),ld,fn) = 

NEXT ( make t r iple ( ADDl ( cnt ( s t ) ) , BOOLF ( bi t2 ( 0 , f n ) ) , inc2node ) , 
Td,fn) 

c3f: LEMMA ready(st) and val2(fn) = 3 IMPLIES 
NEXT(rnake triple(ADDl( cnt( st) ) , 

BOOLF(bit2(0,fn) ) ,inc2node) ,ld,fn) * 

INC2 ( cnt ( make triple(ADDl(cnt(st) ) , 

BOOLF(bit2(0,fn)), 
inc2node ) ) , 

double (maketr iple ( ADDl ( cnt (st) ) ,BOOLF(bit2(0,fn) ) , 

inc2node) ) ,ld,fn) 

c3q: LEMMA ready(st) and val2(fn) = 3 IMPLIES 

INC2(cnt(make triple(ADDl(cnt(st) ) ,BOOLF(bit2(0,fn) ) ,inc2node) ) , 
double ( maket r iple ( ADDl ( cnt ( s t ) ) , BOOLF ( bi t2 ( 0 , f n ) ) , 

inc2node) ) ,ld,fn) = 

INC2 ( ADDl ( cnt (st) ) ,BOOLF(bit2(0,fn) ) ,ld,fn) 

c3h: LEMMA ready(st) and val2(fn) = 3 IMPLIES 

INC2 ( ADDl ( cnt (st) ) ,BOOLF(bit2(0,fn) ) ,ld,fn)= 
make_t r iple ( ADDl ( ADDl ( cnt ( st ) ) ) , BOOLF ( bi t2 ( 0 , f n ) ) , f etchnode ) 

c3n; LEMMA val2( inclnode ) = 1 

c3p; LEMMA val2(fn) = 3 IMPLIES BOOLF(bit2(0,fn) ) 
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PROOF 


p_assumingl ; PROVE words [2] . Njos 

p_counter_ax: PROVE coianter_ax 

FROM cnt_0{func <- func§C,loadin <- loadingC) , 

cnt_l{func <- fijnc@C,loadin <- loadin@cj, 

cnt_2{fiinc <- func0C,loadin <- loadin§C), 

cnt 3{func <- func@C,loadin <- loadin§C}, 

q2{In <- func@c}, 
val_range_thm[2] {w <- func@C) 

p_ready_euc: PROVE readyax 

FROM cnt_0{func <- func@C,loadin <- loadin^C} , 

cnt_l{fvinc <- func§C,loadin <- loadin^C}, 

cnt_2{func <- func@C,loadin <- loadinicj, 

cnt 3{fvinc <- func@C,loadin <- loadin§C}, 

g2{Tn <- fmc@c}, 
val_range_thm[ 2 1 (w <- func@C} 


p_gl: PROVE gl FROM power2_ax{i <- 2}, 

power2_ax{i <- 1}, 
power2 _ax{i <- 0) 

p_g2: PROVE g2 FROM gl, val_range thm(2J{w <- fn@C}, 

g2a{y <- val2Tfn),m <- 4}, 
g2a{y <- val2(fn),m <- 3), 
g2a{y <- val2(fn),ra <- 2 ), 
g2a(y <- val2(fn),m <- 1} 

p_g2a: PROVE g2a 

p_g3: PROVE g3 FROM val_mw_thm[ 2 ] { ii <- val2(fn)}, gl, 

val_range_thm[ 2 ] {w <- fn} , 
val_bits_thm[2J{wl <- fn, m <- 0, 

w2 <- mw2( val2( fn) ) } , 
mw_def [ 2 ] { ii <- val2(fn)}, 
mwm_def [2] {v <- val2(fn), m <- 2, n <- 2), 
bitassign[2]{i <- 0, k <- 0,b <- BMOT)2(vai2(fn) ) , 
w <- inwm[2](DIVBY2{val2(fn)),l,2)} 


p_stbl: PROVE stbl FROM val_niw_thm( 2 ] { ii <- 0}, gl 
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(* 

p_cnt_0 : 


(* 

p_cnt_l 


p_cla : 
p clb: 


PROVE cnt 0 


PROVE cnt 0 FROM NEXTO ax(svt <- state@C, 

~ Idn <- loadinec, 
fn <- func^C) , 

FETCH ax{ct <- cnt(state0C) , 

" dbl <- double ( state@C ) , 

Idn <- loadin@C, 
fn <- func@C}, 

make triple ax{x <- cnt(state§C) , 

" ” y <- BOOLF(bit2(0,func§C) ) , 

z <- fetchnode}, 

ef’Wi f ct* state0Cl 


— PROVE cnt_l 


0 


PROVE cnt_l FROH clalst <- s^te|C, fn <- fjmcK, Id <- 

load ax{ct <- cnt(state@C) , 

" dbl <- B00LF(bit2(0,func@O), 

Idn <- loadin@C, 
fn <- func0C}, 

make triple ax{x <- loadin0C, 

- y <- BOOLF(bit2(O,func0C) ) , 


;OVE cla FROM NEXTO_ax{svt <- st0C, 

Idn <- ld0C, 
fn <- fn0C} , 


>ROVE clb FROM FETCH_ax{ct <- <=nt(st0C), 

dbl <- double(st0C), 
Idn <- ld0C, 
fn <- fn0C} , 
NEXT3_ax(svt <- 


Idn <- ld0C, 
fn <- fn0C } , 
make triple_ax{x <- 

y <- 

z <- 

val_mw_thin[ 2 ] { i i <- 
power 2_ax{i <- 2}, 
power2_ax{i <- 1}» 
power 2_ax{i <- 0} 


cnt(st0C ), 
BOOLF(bit2(O,fn0C) ) , 
loadnode) , 

3}, 
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% 


PRCfVE cnt 2 


prove cnt_2 FROM c2a{st<-state§C,fn<-func§C,ld<-loadinec} 
c2b{ st<-state@C, fn<-func§C, ld<-loadingC) 

c2c{ st<-state0C, fn<-func§C, ld<-loadin0C} 
c2d{ st<-state@C, fn<-func0C, ld<-loadin@C| 
c2e{ fn<-func@C) , 

c2f { st<-state@C, fn<-func@C, ld<-loadin@C} 

maketriple ax{x<-ADDl ( cnt( state^C) ) , 
y<-BOOLF { bi t2 ( 0 , func@cT) , 
z<-fetchnode} 


p_c2a: PROVE c2a FROM stbl, 

NEXTO_ax{svt <- St, 

Idn <- Id, 
fn <- fn} 

p_c2b: PROVE c2b FROM FETCH_ax{ct <- cnt(st), 

<- double ( St), 

Idn <- Id, 
fn <- fn) 

p_c2c; PROVE c2c FROM NEXTl_ax{svt <- inake_triple(cnt(st) , 

BOOLF(bit2(0,fn)), 
inclnode ) , 

Idn <- Id, 
fn <- fn}, 

val_rnw_thm[2]{ii <- l),gl, 
make_triple_ax{x <- cnt(st), 

y <- BOOLF(bit2(0,fn)), 
z <- inclnode} 

P_c2d: PROVE c2d FROM maketriple ax{x <- cnt(st ), 

“ y <- BOOLF(bit2(0,fn)), 
z <- inclnode} 


p_c2e: PROVE c2e FRC»l g3, 

BMOD2_ax(i <- 2},BMOD2 ax{i <- 0}, 
DlV_ax{i <- 2},DIV_ax{T <- 0} 


p_c2f: PROVE c2f FRCM1 


INCl_ax{ct <- cnt(st@C), 

dbl <- BOOLF(bit2(0,fn) 
Idn <- ld@C, 
fn <- fn@C}, 

c2e 
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(* -- 


PROVE cnt 3 


*) 

p_cnt_3: PROVE cnt_3 FROM c3a{st<-state0C, fn<-fvunc0C, ld<-loadin§C} , 

c3b{ st<-state0C, fn<-func0C, ld<-loadin@C} , 
c3c{ st<-state0C, fn<-func0C, ld<-loadin§C} , 
c3d{st<-state0C,fn<-func0C,ld<-loadin0C} , 
c3e{ st<-state0C, fn<-func0C, ld<-loadin0cj , 
c3f { st<-state0C, fn<-fianc0C, ld<-loadin0cj , 
c3p{fn<-func0C} ,c3n, 

c3g { st<-state0C , fn<-func0C , ld<-loadin0C } , 
c3h{st<-state0C, fn<-func0C, ld<-loadin0C} , 
make_triple_ax{x<-cnt( state0C) , 

‘ y<-BOOLF(bit2(O,func0O), 

2 <-inclnode } , 

make_triple_ax{x<-ADDl(cnt{state0C) ) , 

y<-BOOLF ( bi t2 ( 0 , f unc0C ) ) , 
z<-inc2node} , 

make_triple_ax{x<-ADDl(ADDl(cnt( state0C) ) ) , 
y<-BOOLF(bit2(O,func0C) ) , 
z<-fetchnode) 


p_c3a: PROVE c3a 

p_c3b: PROVE c3b FROM stbl,NEXTO_ax{svt<-st0C,ldn<-ld0C,fn<-fn0C} 

p_c3c: PROVE c3c FROM FETCH_ax{ct<-cnt(st0C) ,dbl<-double(st0C) ,ldn<-ld0C, 

fn<-fn0C} 

p_c3d: PROVE c 3d FROM NEXTl ax{svt<-make triple(cnt(st0C) , 

BOOLFTbit2(O,fn0C)T,inclncxle) ,ldn<-ld0C,fn<- fn0C} , 
gl, val mw_thm[21 {ii<-l} , 
make_trlple_ax{x<-cnt( st0C) , 

y<-BOOLF ( bi t2 ( 0 , f n0C ) ) , z <-inclnode } 

p_c3e; PROVE c3e FROM INCl_ax{ct<-cnt(inake_triple(cnt(st0C) , 

BOOLF ( bi t2 ( 0 , f n0C ) ) , inclncxle ) ) , 
dbl<-double(make_triple(cnt(st0C) , 

BOOLF ( bit2 ( 0 , fn0C) ) , inclnode ) ) , ldn<-ld0C, fn<-fn0C} , 
c3p, make_triple_cix{x <- cnt(st0C), 

y <- BOOLF(bit2(O,fn0O), 
z <- inclnode} 


p_c3f; PROVE c3f FROM NEXT2 ax { svt<-make triple(ADDl(cnt(st0C) ) , 

BOOLFTbi t2 ( 0 , f n0C )T, inc2node ) , ldn<-ld0C , f n<-f n0C} , gl , 
val_mw_thm[ 2 ] { i i <-2 } , 
make_triple_ax{x<-ADDl(cnt(st0C) ) , 

y<-BOOLF(bit2(O,fn0C) ) ,z<-inc2node} 

p_c3n: PROVE c3n FROM power2_ax{i<-l} ,power2 ax{i<-0), 

val_mw_thm[ 2 } { i i <-l } , gT 
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p c3q: PROVE c3g FRCW make triple_ax{x<-ADDl(cnt(st@C) ) , 

- y<-BOOLF(bit2(0,fn) ) ,z<-inc2ncxle} 

p c3h; PROVE c3h FROM INC2 ax{ct<-ADDl(cnt{st§C) ) ,dbl<-BOOLF(bit2(0,fn@C) ) , 

ldn<-ld@C,fn<-fn§C) 


p c3p; PROVE c3p FROM g3, 

~ BMOD2_ax{i <- 3},WK»2 ax{i <- 3}, 

DIV ax{i <- 3},DIV_ax{I <- 1} 


END cnt6_fa 

triples: MODULE [firsttype, secondtype, thirdtype: TYPE] 

EXPORTING triple, first, second, third, make_triple 
THEORY 

triple: TYPE 

first: function! triple -> firsttypej 
second: function] triple -> secondtype] 
third: function] triple -> thirdtype] 

make triple: function] firsttype, secondtype, thirdtype -> triple] 


x: VAR firsttype 
y: VAR secondtype 
z: VAR thirdtype 
t: VAR triple 

make_triple ax: AXIOM 

X » firstTmake_triple(x, y, z)) 

AND y = second(make_triple(x, y, z)) 

AND z = third] make_triple(x, y, z)) 

(* exists triple_ax: AXIOM 

(FORALL t : (EXISTS x, y, z : t = make_triple(x, y, z))) 

*) 

END triples 


bsignal: MODULE 

EXPORTING signalval, signal_to_bool 

THEORY 

b: VAR bool 

signalval: TYPE is bool 

signaltobool : function] signalval -> bool] = (LAMBDA b -> bool: b) 
END bsignal 
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cnt6_blk: MODULE 

MAPPING cnt6_fa ONTO words,triples(word{6] ,bcx)l,word[2] ] ,bsignal 
THEORY 

(* define abbreviations for 'words' *) 

word2; TYPE is word[2] 
word6: TYPE is word[6] 

niw2; function! int -> word2] is mw[2] 

val2: function[word2 -> int] is val[2] 

bit2; function! int, word2 -> signalval] is bit!2] 

raw6: function! int -> word6] is mw!6] 

val6; function!word6 -> int] is valI6] 

bit6: function! int, word6 -> signalval] is bit!6] 

BOOLF: function! signalval -> bool] is signal_to_bool 

statevector: TYPE is triple 

(* logic consteuits defined in cnt6_fa 

fetchnode: word2 = ntw2(0) 
inclnode: word2 = mw2(l) 
inc2node: word2 = mw2(2) 
loadnode: word2 = mw2(3) 

define logic variables *) 

stv: VAR statevector 
ct,incout,loadin; VAR word6 
noinc: VAR bool 
nd,func: VAR word2 
dbl: VAR bool 
mplxsel: VAR bool 

(* define functions *) 

INCLOGIC: function!word6,bool -> word6] 

INCLOGIC_ax: AXIOM INCLOGIC(ct, noinc) = 

IF noinc THEN ct 
ELSE ADDl(ct) 

END 


MULTIPLEX: function! word6,word6, bool -> word6] 
MULTIPLEX_ax: AXIOM MULTIPLEX! incout, loadin, rrplxsel) = 

IF mplxsel THEN incout 

ELSE loadin 

END 

MPLXCX3N: function!word2 -> bool] = 

(LAMBDA nd -> bool: NOT (val2(nd) = 3) ) 
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INCCON: function! word2 -> bool] = 

(LAMBDA nd -> bool: (val2(nd) - 0) ) 


NEXIMCX>E: function! word2,word2, bool -> word2] 

(* 

NEXTtWDE ax: AXIOM NEXTNODE(nd, func,dbl ) = 

IF val2(nd) = 0 THEN 

IF val2(func) - 0 THEN fetchnode 
ELSIF val2(func) = 1 THEN loadnode 
ELSE inclnode 
END 

ELSIF val2(nd) - 1 THEN 
IF dbl THEN inc2node 

ELSE fetchnode 

END 

ELSE 

fetchnode 


NEXTNMJEOax: AXIOM val2(nd) ” 0 IMPLIES 
NEXTNODE(nd,func,dbl) * 

IF val2(func) = 0 THEN fetchnode 
ELSIF val2(func) = 1 THEH loadnode 
ELSE inclnode 
END 

NEXTNCXJEl ax: AXIOM val2(nd) = 1 IMPLIES 

NEXTNODE(nd,func,dbl) = IF dbl THEN inc2node 

ELSE fetchnode 
END 

NEXTNODE2a3_ax : AXIOM val2(nd) - 2 or val2(nd) = 3 IMPLIES 
~ NEXTNODE(nd,func,dbl) = fetchnode 

CXXttJTLOGIC: function! statevector,wocd6,word2 -> statevector] « 

(LAMBDA stv, loadin, func -> statevector: 
make triple ( MULTIPLEX! INCLOGIC( count (stv) , 

INCC0N( node ( stv ) ) ) , 

loadin, 

MPLXCON( node (stv)) ), 

BOOLF { bit2 ( 0 , func ) ) , 

NEXTNODE ( node ( stv ) , func , double ( stv ) ) ) 

) 


cnt6 fa. NEXT: function! statevector ,word6,word2 -> statevector) - COUNTLOGIC 

(* LEMMAS needed to prove NEXT0_aoc *) 

Idn: VAR word6 
fn; VAR word2 
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= FETCH( count (stv),double{stv),ldn,fn) 

csOa: LEMMA val2(node(stv) ) = 0 IMPLIES 

COUNTLOGIC(stv,ldn,fn) = 

make triple( count(stv), 

BOOLF(bit2(0,fn)), , 4 . x x > 

NEXTN0DE( node{ stv) , fn, doublet stv ) ) ) 

csOb; LEMMA val2( node (stv) ) = 0 IMPLIES 
make triple( count(stv), 

BCX>LF(bit2(0,fn)), / 4- x ^ > 

NEXIN0DE( node ( stv) ,fn, double (stv) ) ) 

FETCH ( count ( stv ) , double ( s tv ) , Idn , f n ) 


(* 

case_l ; 

csla: 


*) 


cslb: 


LEMMAS needed to prove NEXTl_ax 

i JSfcunt, stv, .double, stv, .lan.fn, 
lemma val2( node (stv)) = 1 IMPLIES 

COUNTLOGIC(stv,ldn,fn) = , ^ 

make triple( ADDl(count(stv) ) , 

BOOLF(bit2(0,fn)), \ 1 ^ 

NEXTN0DE( node ( stv) , fn, doublet stv ) ) ) 

lemma val2 ( node ( stv ) ) = 1 IMPLIES 

make triplet ADDltcount(stv) ) , 

BOOLF(bit2(0,fn)), w. / .- \ 1 \ 

NEXTtODEt node ( stv ) , fn , double ( stv ) ) ) = 
INCl ( count ( stv ) , double ( stv ) , Idn , f n ) 


(* 

case_2 : 

cs2a : 


— *) 


cs2b: 


lemmas needed to prove NEXT2_ax 

^^SjNtIog?c?Sv1i^ = JScountt stv), doublet stv), Idn, fn) 

LEMMA val2 ( node ( stv ) ) = 2 IMPLIES 
COUNTLOGIC(stv,ldn,fn) = , ^ 

make triplet ADDl(counttstv) ) , 

BOOLF(bit 2 ( 0 ,fn)), / 4 - m ^ 

NEXTN0DE( node ( stv) double (stv) ) ) 

LEMMA val2 ( node ( stv) ) = 2 IMPLIES 

make triplet ADDltcount(stv) ) , 

BOOLF(bit2(0,fn)), . , , 4 . 1 1 1 = 

NEXTNODE(nodetstv) ,fn,double(stv) ) ) 

INC2 ( count ( stv ) , double ( stv ) , Idn , f n ) 


lemmas needed to prove NEXT3_ax 


*) 


= [S^ESunt(stv,, double, stv,, Idn, £n. 
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cs3a; LEMMA val2(node( stv) ) - 3 IMPLIES 
COUNTLOGIC(stv,ldn,fn) = 
make_triple( Idn, 

BOOLF(bit2(0,fn)), 

NEXlM)DE(node( stv) ,fn, double (stv) ) ) 

cs3b: LEMMA val2(node( stv) ) = 3 IMPLIES 
ma)ce_triple( Idn, 

BOOLF(bit2(0,fn)), 

NEXTOODE ( node (s tv ),fn, double (s tv ) ) ) - 

LOAD ( count ( s tv ) , double ( stv ) , Idn , f n ) 

PROOF 

p_case_0: PROVE caseO FROM cs0a,cs0b 

pcsOa; PROVE csOa FROM INCLOGIC_ax{ct <- count(stv), 

noinc <- INCCON(node(stv) ) } , 
MULTI PLEX_ax{incout <- count (stv), 
loadin <- Idn, 

mplxsel <- MPLXCON(node(stv))} 

P_csOb: PROVE csOb FROM FETCH_ax{ct <- count (stv), 

dbl <- double ( stv ) , 

Idn <- Idn, fn <- fn), 
NEXTNODE0_ax{nd <- node (stv), 
func <- fn, 
dbl <- double (stv)} 

p_case_l: PROVE easel FROM csla,cslb 

p_csla: PROVE csla FROM INCLOGIC_ax{ct <- count (stv), 

noinc <- INCCX»J(node(stv) ) } , 
MULTI PLEXax { incout <- AEtt)l ( count ( stv ) ) , 
loadin <- Idn, 

mplxsel <- MPLXCX]N(node(stv))) 

P_cslb: PROVE cslb FRC^ INCl ax {ct <— count(stv), 

dbl <- do\ible( stv) , 

Idn <- Idn, fn <- fn}, 
NEXTOODEl_ax{nd <- node (stv), 
func <- fn, 
dbl <- double (stv)} 

p_case_2: PROVE case_2 FROM cs2a,cs2b 


82 



p cs2a: PROVE cs2a FROM INCLOGIC_i 


ax{ct <- count (stv), 

noinc <- INCOC»J(node(stv) ) } , 
MULTIPLEX ax{incout <- ADDl ( count ( stv) ) , 

~ loadin <- Idn, 

mplxsel <- MPLXCaJ(node(stv) )} 


P cs2b: PROVE cs2b FROM INC2 ax{ct <- count(stv), 

- dbl <- double (stv), 

Idn <- Idn, fn <- fn}, 
NEXTNODE2a3_ax{nd <- node(stv), 
func <- fn, 
dbl <- double (stv)} 


p_case_3: PROVE case_3 FROM cs3a,cs3b 


p_cs3a; 


PROVE cs3a FROM 

MULTIPLEX ax 


(incout <-lNCLOGIC ( count ( stv ) ,INCCON( node (stv 

loadin <- Idn, 

mplxsel <- MPLXCON(node(stv) )) 


))) 


f 


D cs3b; PROVE cs3b FROM LOAD ax{ct <- count(stv), 

dbl <- double (stv), 

Idn <- Idn, fn <- fn), 
NEXTNODE2a3_ax{nd <- node ( Stv), 
func <- fn, 

dhl <- double ( stv)] 


E3«> cnt6 blk 


cnt6 cir: MODULE 

mapping cnt6_bllt ONTO words, triples, bsignal 
THEORY 

abbreviations 

word2: TYPE is word[2] 
word6: TYPE is word[6] 

cntrlsigs: TYPE is triple[bool,bool,word[2] ] 

bit2; function} int, word2 -> bool) is bit[2] 
bit6: function} int, word6 -> bool] is bit} 6) 
assign2: function} int, bool, word2 -> word2J is assignjz] 
assign6: function} int, bool, word6 -> word6] is assign}6] 

circuit elements 

b,bl,b2,b3,b4: VAR bool 
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INV: function (bool -> bool] = (LAMBDA b -> bool: not b) 

NAND2; function [bool, bool -> bool] ■= 

( LAMBDA bi , b2 -> bool ; not ( bl euid b2 ) ) 

NAND3: function [bool, bool, bool -> bool] = 

(LAMBDA bl,b2,b3 -> bool: not (bl and b2 and b3)) 
function [bool, bool, bool, bool -> bool] = 

(LAMBDA bl,b2,b3,b4 -> bool: not (bl and b2 and b3 and b4)) 
XNOR: function [bool, bool -> bool] = 

(LAMBDA bl,b2 -> bool: not (not bl and b2 or bl and not b2)) 
N0R2; function [bool, bool -> bool] = 

(LAMBDA bl,b2 -> bool: not (bl or b2)) 


NAND4: 


(’ 


logic variables 


*) 


i0,il,i2,i3,i4,i5: VAR bool 
lbit,lsel,incbit,incsel: VAR bool 
incout,loadin,cntr: VAR word6 
nplxsel,noinc, Double: VAR bool 
Node,Func: VAR word2 


(’ 


circuit definition 


*) 


output: function [bool, bool, bool, bool, bool, bool -> vrord6] = 
(LAMBDA i0,il,i2,i3,i4,i5 -> word6: 
assi^6(0,i0, 
assi^6(l,il, 
assi^6(2,i2, 
assigns ( 3, i3, 
assigns ( 4, i4, 

assignS(5,i5,newword[S]) )) ) ))) 


bitsel: function [bool, bool, bool, bool -> bool] = 

(LAMBDA lbit,lsel,incbit,incsel -> bool: 

NAND2( NAND2(lbit,lsel), NAND2( incbit, incsel ) ) ) 


MPLE3CCIRC: function[v«3rdS ,wordS,bool -> words ] 

MPLEXCIRCax: AXIOM MPLEXCIRC( incout, loadin, nplxsel) - 
output ( 

bitsel(bitS( 0, loadin) , INV(nplxsel ) ,bitS(0, incout) ,inplxsel) , 
bitsel ( bits ( 1 , loadin) , INV(niplxsel ) ,bitS( 1, incout ) ,niplxsel ) , 
bitsel (bit6( 2, loadin) , INV(nplxsel ) ,bit6( 2, incout) ,itplxsel ) , 
bitsel(bit6( 3, loadin) ,INV(inplxsel) ,bit6( 3, incout) ^nplxsel) 
bitsel( bit6{ 4, loadin) , INV(mplxsel ) /bit6( 4 , incout) ^nplxsel ) 
bitsel (bits ( 5, loadin) , INV(mplxsel ) ,bitS( 5, incout) ,n^lxsel ) 

carry4bar: function] wordS, bool -> bool] - 
(LAMBDA cntr,noinc -> bool: 

NAND4 ( INV( noi nc ) , bi tS ( 0 , cnt r ) , bi tS ( 1 , cnt r ) , bi tS ( 1 , cnt r ) ) 
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INCCIRC; 


£iinction[word6,bool -> word6] - 
(lambda cntr,noinc -> word6: 


output ( 

XNOR(bit6(0,cntr), noinc), 

XN0R(bit6(l,cntr) , NAND2(INV(noinc) ,bit6(0,cntr ) ) 

XNOR(bit6(2,cntr) , ^ 

NAND3{ INV(noinc), bit6(0,cntr ) , bit6(l,cntr 
XNOR( bi t6 ( 3 , cntr ) , car ry4bar ( cntr , noinc ) ) , 


), 

) 


XNOR(bit6(4,cntr), . 

NAND2( I NV( carry 4bar( cntr , noinc) ) , bito( i,cntr ) 


), 


), 


) 


XNOR(bit6(5,cntr) , , 

NAND3( INV( car ry4bar( cntr, noinc ) ) , 

bite (3, cntr) , 
bit6(4»cntr) ) ) 


) 


) 


inccon; function[word2 -> bool] - 
(LAMBDA Node -> bool: 

NOR2(bit2(0, Node) ,bit2(l, Node) ) 


) 


ccxnnon: function] word2,word2 > bool] = 

(LAMBDA Node,Func -> bool: vx ^ 

NAND3( inccon (Node) ,INV(bit2( l,Func) ) ,bit2(0,Func) ) ) 

CONTROIjCIR: function] word2,word2, bool — > cntrlsigs] - 
(LAMBDA Node, Func, Double -> cntrlsigs: 
make triple( inccon(Node) , 

NAND2 ( bi t2 ( 0 , Node ), bi t2 ( 1 , Node )) , 
assign2(0, NAND2 (common (Node, Func ) , 

NAND2( inccon(Node) ,bit2( 1 

), 

assign2(l,NAND2(coitBnon(Node,Func) , 

NAND3(LX)uble, 

bit2(0,Node) , 
INV(bit2(l,Node) ) 

1 \ 


) 


) 


Mappings to "cnt6_blk" 

cnte blk.INCLXDGIC: function]word6,bool -> word6] = INCCIRC 

cnte blk. MULTIPLEX: function] word6,word6, bool -> word6] * MPLEXCIRC 


(* 


,Func) ) 


)), 


- *) 
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cnt6_blk.lNCC0N; function! word2,word2, bool -> bool] = 

(LAMBDA Node, Func, Double -> bool: 

f i rst ( CONTROLCIR( Node , Func , Double ) ) 


cnt6_blk.MPLXCXDN: fvinction[word2,word2,bool -> bool] •= 

(LAMBDA Node, Func, Double -> bool: 

^ second ( C0NTR0LCIR( Node , Func , Double ) ) 

*) 

cnt6_blk.NEXlN0DE: f unction [word2,word2, bool -> word2] ■ 

(LAMBDA Node, Func, Double -> word2: 

^ thi rd ( CONTROLCIR( Node , Func , Double ) ) 

END cnt6 cir 


ineq_cases: MODULE 

THEORY 

y,m: VAR int 

Y_0: IHEOREM (y>»0 AND y<l) IMPLIES y=0 
Y_01: THEOREM (y>»l AND y<2) IMPLIES y*l 

Y_S: THEOREM (y>-0 AND y<2) IMPLIES ((y>-0 AND y<l) OR (y>-l AND y<2)) 
Y_l: THEOREM (y>-0 AND y<2) IMPLIES (y»0 OR y^l) 

MR: TOEOREM (y>-0 AND y<.m) IMPLIES ((y>-0 AND y<-m-l) OR (y-m)) 

PROOF 

pYO: PROVE Y_0 
pYOl: PKJVE Y Ol 

pYS: PROVE Y_S 

pYl: PROVE Y_1 FROM 
Y_S, Y_0, Y_01 

pMR: PROVE M R 


END ineq_cases 
intinductions: MODULE 
EXPORTING next,pred,geq,bge 
THEORY 

i,j: VAR int 

dl, d2, d3, d4, de: VAR int 
x,y,z,s: VAR int 
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First: int = 0 

next: function[int -> int] = (LAMBDA i -> int: i+1) 

pred: fxinction[ int -> int] = (LAMBDA i -> int: IF i > 0 THEN i-1 ELSE 0 END) 

geq: function] int, int -> bool] = (LAMBDA i,j -> bool: (i>=j)) 

bge: function] int -> bool] = 

(LAMBDA i -> bool: IF i>=0 THEN true ELSE false END ) 

p: VAR fxmction]int -> bool] 


intconplete : THEOREM (FORALL dl: geq (dl, First) IMPLIES 

(FORALL d3: (geq(d3, First) AND geq(dl,d3) AND d3 dl) IMPLIES 
p(d3)) IMPLIES p(dl)) 

IMPLIES (FORALL d2: geq(d2, First) IMPLIES p(d2)) 


int_induction: THEOREM (p(First) AND (FORALL dl: p(dl) IMPLIES p(next(dl ) ) ) ) 
IMPLIES (FORALL d2; geq(d2, First) IMPLIES p(d2) ) 

int_induct_by_2; THEOREM (p( First) AND p(next( First) ) AND (FORALL dl: p(dl) 

IMPLIES p(next(next(dl))))) 

IMPLIES (FORALL d2: ( geq(d2, First) IMPLIES p(d2) )) 


END int inductions 
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